|CERT-In Vulnerability Note
Arbitrary code execution vulnerability in PostgreSQL Installer
Original Issue Date:May 19, 2020
Severity Rating: HIGH
- Windows installer for PostgreSQL versions12.3, 11.8, 10.13, 9.6.18, and 9.5.22
A vulnerability has been reported in PostgreSQL which could be exploited by an attacker to execute arbitrary code on a targeted system.
This vulnerability exists in PostgreSQL installer for Windows due to failure to use fully-qualified paths for invoking system-provided executables. An attacker could exploit this vulnerability by tricking a user to install PostgreSQL from a directory that contains malicious files.
Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code with the privileges of the PostgreSQL installer on the targeted system.
Note: - This vulnerability affects Windows installer only.
Apply appropriate updates as mentioned in:
The information provided herein is on "as is" basis, without warranty of any kind.
Email: email@example.com Phone: +91-11-24368572
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003