← Back

CVE-2020-10733

nvd nist
Published: Sep 16, 2020Modified: Nov 21, 2024

JSON object

Loading...
7.3
Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Exploitability: 1.3 / Impact: 5.9
Source: NVD

Description

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights.

Affected (5)

Postgresql
1 product
Postgresql
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Postgresql
Postgresql
From 10.0 to 10.13
Postgresql
From 11.0 to 11.8
Postgresql
From 12.0 to 12.3
Postgresql
From 9.5 to 9.5.22
Postgresql
From 9.6 to 9.6.18

Related CWEs

CWE-426
Untrusted Search Path
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

References (6)

Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: secalert@redhat.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.