{"containers": {"cna": {"affected": [{"product": "PostgreSQL", "vendor": "n/a", "versions": [{"status": "affected", "version": "PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23"}]}], "descriptions": [{"lang": "en", "value": "It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23."}], "problemTypes": [{"descriptions": [{"description": "Improper Input Validation", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2020-09-18T11:06:17", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "openSUSE-SU-2020:1227", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}, {"name": "openSUSE-SU-2020:1228", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"}, {"name": "openSUSE-SU-2020:1244", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"}, {"name": "openSUSE-SU-2020:1243", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"}, {"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, {"name": "[debian-lts-announce] 20200817 [SECURITY] [DLA 2331-1] posgresql-9.6 security update", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"}, {"name": "GLSA-202008-13", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202008-13"}, {"name": "USN-4472-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/4472-1/"}, {"name": "openSUSE-SU-2020:1312", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"}, {"name": "openSUSE-SU-2020:1326", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14350", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PostgreSQL", "version": {"version_data": [{"version_value": "PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Improper Input Validation"}]}]}, "references": {"reference_data": [{"name": "openSUSE-SU-2020:1227", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}, {"name": "openSUSE-SU-2020:1228", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"}, {"name": "openSUSE-SU-2020:1244", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"}, {"name": "openSUSE-SU-2020:1243", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, {"name": "[debian-lts-announce] 20200817 [SECURITY] [DLA 2331-1] posgresql-9.6 security update", "refsource": "DEBIAN", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"}, {"name": "GLSA-202008-13", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202008-13"}, {"name": "USN-4472-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/4472-1/"}, {"name": "openSUSE-SU-2020:1312", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"}, {"name": "openSUSE-SU-2020:1326", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"}, {"name": "https://security.netapp.com/advisory/ntap-20200918-0002/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.524Z"}, "title": "CVE Program Container", "references": [{"name": "openSUSE-SU-2020:1227", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}, {"name": "openSUSE-SU-2020:1228", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"}, {"name": "openSUSE-SU-2020:1244", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"}, {"name": "openSUSE-SU-2020:1243", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, {"name": "[debian-lts-announce] 20200817 [SECURITY] [DLA 2331-1] posgresql-9.6 security update", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"}, {"name": "GLSA-202008-13", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202008-13"}, {"name": "USN-4472-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "https://usn.ubuntu.com/4472-1/"}, {"name": "openSUSE-SU-2020:1312", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"}, {"name": "openSUSE-SU-2020:1326", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14350", "datePublished": "2020-08-24T12:42:45", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:39:36.524Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "11AA6065-FAE8-4A2E-8B5B-91EA30B13B9A", "versionEndExcluding": "9.5.23", "versionStartIncluding": "9.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "A69144A7-9884-402C-8E7B-BBA833E4BC5C", "versionEndExcluding": "9.6.19", "versionStartIncluding": "9.6", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "66E3FC4A-00FF-4006-A9E6-7B9ED8EB3F2E", "versionEndExcluding": "10.14", "versionStartIncluding": "10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "B74FDCC8-2D95-45FB-B8DE-2C1AAA71D446", "versionEndExcluding": "11.9", "versionStartIncluding": "11.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "5300CA7F-5BB7-40BA-9237-C4865C1373CF", "versionEndExcluding": "12.4", "versionStartIncluding": "12.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "matchCriteriaId": "902B8056-9E37-443B-8905-8AA93E2447FB", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23."}, {"lang": "es", "value": "Se detect\u00f3 que algunas extensiones de PostgreSQL no usaban la funci\u00f3n search_path de forma segura en su script de instalaci\u00f3n. Un atacante con suficientes privilegios podr\u00eda usar este fallo para enga\u00f1ar a un administrador para ejecutar un script especialmente dise\u00f1ado durante la instalaci\u00f3n o actualizaci\u00f3n de dicha extensi\u00f3n. Esto afecta a PostgreSQL versiones anteriores a 12.4, anteriores a 11.9, anteriores a 10.14, anteriores a 9.6.19 y anteriores a 9.5.23."}], "id": "CVE-2020-14350", "lastModified": "2024-11-21T05:03:04.240", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-08-24T13:15:10.967", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202008-13"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4472-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202008-13"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4472-1/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2020:3669", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:10-8020020200825115746.4cda2c84", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-09-08T00:00:00Z"}, {"advisory": "RHSA-2020:5619", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:9.6-8030020201201133334.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-17T00:00:00Z"}, {"advisory": "RHSA-2020:5620", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:12-8030020201207110000.229f0a1c", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2020-12-17T00:00:00Z"}, {"advisory": "RHSA-2020:5661", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "postgresql:9.6-8000020201214122017.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-12-22T00:00:00Z"}, {"advisory": "RHSA-2020:5664", "cpe": "cpe:/a:redhat:rhel_e4s:8.0", "package": "postgresql:10-8000020201214113918.f8e95b4e", "product_name": "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date": "2020-12-22T00:00:00Z"}, {"advisory": "RHSA-2021:0166", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "postgresql:10-8010020201214112129.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2021:0167", "cpe": "cpe:/a:redhat:rhel_eus:8.1", "package": "postgresql:9.6-8010020201214134447.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2021:0163", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "postgresql:12-8020020201207110224.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2021:0164", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "postgresql:9.6-8020020201201133334.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2021-01-18T00:00:00Z"}, {"advisory": "RHSA-2020:4295", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql96-postgresql-0:9.6.19-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-10-21T00:00:00Z"}, {"advisory": "RHSA-2020:5110", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql10-postgresql-0:10.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-11-18T00:00:00Z"}, {"advisory": "RHSA-2020:5112", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql12-postgresql-0:12.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2020-11-16T00:00:00Z"}, {"advisory": "RHSA-2020:4295", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql96-postgresql-0:9.6.19-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-10-21T00:00:00Z"}, {"advisory": "RHSA-2020:5110", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql10-postgresql-0:10.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-11-18T00:00:00Z"}, {"advisory": "RHSA-2020:5112", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql12-postgresql-0:12.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2020-11-16T00:00:00Z"}, {"advisory": "RHSA-2020:4295", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql96-postgresql-0:9.6.19-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-10-21T00:00:00Z"}, {"advisory": "RHSA-2020:5110", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql10-postgresql-0:10.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-11-18T00:00:00Z"}, {"advisory": "RHSA-2020:5112", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql12-postgresql-0:12.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2020-11-16T00:00:00Z"}, {"advisory": "RHSA-2021:0988", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "rhvm-appliance-0:4.4-20210310.0.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2021-03-25T00:00:00Z"}], "bugzilla": {"description": "postgresql: Uncontrolled search path element in CREATE EXTENSION", "id": "1865746", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865746"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.", "A flaw was found in PostgreSQL, where some PostgreSQL extensions did not use the search_path safely in their installation script. This flaw allows an attacker with sufficient privileges to trick an administrator into executing a specially crafted script during the extension's installation or update. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability."], "name": "CVE-2020-14350", "package_state": [{"cpe": "cpe:/a:redhat:openshift_application_runtimes:1.0", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat build of Quarkus"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_brms_platform:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Decision Manager 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "postgresql84", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "libpq", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_bpms_platform:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Process Automation 7"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-13T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14350\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14350"], "statement": "In Red Hat Gluster Storage 3, PostgreSQL was shipped as a part of Red Hat Gluster Storage Console that is no longer supported for use with Red Hat Gluster Storage 3.5. Red Hat Gluster Storage Web Administration is now the recommended monitoring tool for Red Hat Storage Gluster clusters.", "threat_severity": "Moderate", "upstream_fix": "postgresql 12.4, postgresql 11.9, postgresql 10.14, postgresql 9.6.19, postgresql and 9.5.23"}