Vulnerability CVE-2020-1720: Information

Description

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

Severity: MEDIUM (6.5) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-1720

Published: March 17, 2020

Modified: Nov. 7, 2023

Error type identifier: CWE-862

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
postgresql10	p10	10.12-alt1	10.23-alt1.p10.1	ALT-PU-2020-1179-1	245892	Fixed
postgresql10	p9	10.12-alt1	10.23-alt0.M90P.1	ALT-PU-2020-1259-1	245909	Fixed
postgresql10	p8	10.12-alt0.M80P.1	10.19-alt0.M80P.1	ALT-PU-2020-1333-1	245913	Fixed
postgresql10	c10f1	10.12-alt1	10.23-alt1	ALT-PU-2020-1179-1	245892	Fixed
postgresql10	c9f2	10.12-alt1	10.23-alt0.M90P.1	ALT-PU-2020-1259-1	245909	Fixed
postgresql11	p10	11.7-alt1	11.22-alt0.p10.1	ALT-PU-2020-1180-1	245892	Fixed
postgresql11	p9	11.7-alt1	11.22-alt0.M90P.1	ALT-PU-2020-1260-1	245909	Fixed
postgresql11	p8	11.7-alt0.M80P.1	11.14-alt0.M80P.1	ALT-PU-2020-1332-1	245913	Fixed
postgresql11	c10f1	11.7-alt1	11.22-alt0.p10.1	ALT-PU-2020-1180-1	245892	Fixed
postgresql11	c9f2	11.7-alt1	11.22-alt0.M90P.1	ALT-PU-2020-1260-1	245909	Fixed
postgresql11-1C	p8	11.5-alt0.M80P.4	11.12-alt0.M80P.2	ALT-PU-2020-1334-1	245913	Fixed
postgresql12	sisyphus	12.2-alt1	12.18-alt1	ALT-PU-2020-1177-1	245892	Fixed
postgresql12	p10	12.2-alt1	12.18-alt0.p10.1	ALT-PU-2020-1177-1	245892	Fixed
postgresql12	p9	12.2-alt1	12.18-alt0.M90P.1	ALT-PU-2020-1257-1	245909	Fixed
postgresql12	p8	12.2-alt0.M80P.1	12.9-alt0.M80P.1	ALT-PU-2020-1335-1	245913	Fixed
postgresql12	c10f1	12.2-alt1	12.18-alt0.p10.1	ALT-PU-2020-1177-1	245892	Fixed
postgresql12	c9f2	12.2-alt1	12.18-alt0.c9f2.1	ALT-PU-2020-1257-1	245909	Fixed
postgresql9.6	p9	9.6.17-alt1	9.6.24-alt0.M90P.1	ALT-PU-2020-1258-1	245909	Fixed
postgresql9.6	p8	9.6.17-alt0.M80P.1	9.6.24-alt0.M80P.1	ALT-PU-2020-1336-1	245913	Fixed
postgresql9.6	c9f2	9.6.17-alt1	9.6.24-alt0.M90P.1	ALT-PU-2020-1258-1	245909	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720	Issue Tracking Patch Third Party Advisory
https://www.postgresql.org/about/news/2011/	Release Notes Vendor Advisory
openSUSE-SU-2020:1227

Affected configurations:
1. Configuration 1
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  12.0
  End excliding
  12.2
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  11.0
  End excliding
  11.7
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  10.0
  End excliding
  10.12
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  9.6
  End excliding
  9.6.17
  
  Configuration 2
  cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*
  cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
  cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*

Version: v24.4.2

Vulnerability CVE-2020-1720: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2