Vulnerability Description
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Postgresql | Postgresql | >= 9.5.0, < 9.5.24 |
| Debian | Debian Linux | 9.0 |
Related Weaknesses (CWE)
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1894430Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00005.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202012-07Third Party Advisory
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524Release NotesVendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=1894430Issue TrackingPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2020/12/msg00005.htmlMailing ListThird Party Advisory
- https://security.gentoo.org/glsa/202012-07Third Party Advisory
- https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524Release NotesVendor Advisory
FAQ
What is CVE-2020-25696?
CVE-2020-25696 is a vulnerability with a CVSS score of 7.5 (HIGH). A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \...
How severe is CVE-2020-25696?
CVE-2020-25696 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-25696?
Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql, Debian Debian Linux.