Missing authorization in PostgreSQL CREATE TYPE
allows an object creator to hijack other queries that use
search_path to find user-defined types, including
extension-defined types. That is to say, the victim will execute
arbitrary SQL functions of the attacker's choice.
Integer wraparound in multiple PostgreSQL server
features allows an application input provider to cause the
server to undersize an allocation and write out-of-bounds. This
results in a segmentation fault.
Externally-controlled format string in PostgreSQL timeofday()
function allows an attacker to retrieve portions of server
memory, via crafted timezone zones.
Symlink following in
PostgreSQL pg_basebackup plain format and in pg_rewind allows an
origin superuser to overwrite local files, e.g.
/var/lib/postgres/.bashrc, that hijack the operating system
account. It will remain the case that starting the server after
these commands implicitly trusts the origin superuser, due to
features like shared_preload_libraries. Hence, the attack has
practical implications only if one takes relevant action between
these commands and server start, like moving the files to a
different VM or snapshotting the VM.
SQL injection in PostgreSQL
pg_createsubscriber allows an attacker with
pg_create_subscription rights to execute arbitrary SQL as a
superuser. The attack takes effect when pg_createsubscriber next
runs. Versions before PostgreSQL 17 are unaffected.
PostgreSQL libpq lo_* functions let server superuser overwrite
client stack memory. Use of inherently dangerous function
PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(),
lo_read(), lo_lseek64(), and lo_tell64() functions allows the
server superuser to overwrite a client stack buffer with an
arbitrarily-large response. Like gets(), PQfn(...,
result_is_int=0, ...) stores arbitrary-length, server-determined
data into a buffer of unspecified size. Because both the
\lo_export command in psql and pg_dump call lo_read(), the
server superuser can overwrite pg_dump or psql stack memory.
PostgreSQL discloses MD5-hashed passwords via covert timing
channel. Covert timing channel in comparison of MD5-hashed
password in PostgreSQL authentication allows an attacker to
recover user credentials sufficient to authenticate. This does
not affect scram-sha-256 passwords, the default in all supported
releases. However, current databases may have MD5-hashed
passwords originating in upgrades from PostgreSQL 13 or earlier.
PostgreSQL SSL/GSS init causes denial of service, via
uncontrolled recursion. Uncontrolled recursion in PostgreSQL SSL
and GSS negotiation allows an attacker able to connect to a
PostgreSQL AF_UNIX socket to achieve sustained denial of
service. If SSL and GSS are both disabled, an attacker can do
the same via access to a PostgreSQL TCP socket.
PostgreSQL pg_restore_attribute_stats accepts values that cause
query planning to read past end of stats array. Buffer over-read
in PostgreSQL function pg_restore_attribute_stats() accepts
array values of unmatched length, which causes query planning to
read past end of one array. This allows a table maintainer to
infer memory values past that array end. Versions before
PostgreSQL 18 are unaffected.
PostgreSQL refint allows stack buffer overflow and SQL
injection. Stack buffer overflow in PostgreSQL module refint
allows an unprivileged database user to execute arbitrary code
as the operating system user running the database. A distinct
attack is possible if the application declares a user-controlled
column as a refint cascade primary key and facilitates
user-controlled updates to that column. In that case, a SQL
injection allows a primary key update value provider to execute
arbitrary SQL as the database user performing the primary key
update.
PostgreSQL REFRESH PUBLICATION allows SQL injection via table
name. SQL injection in PostgreSQL logical replication ALTER
SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table
creator to execute arbitrary SQL with the subscription's
publication-side credentials. The attack takes effect at the
next REFRESH PUBLICATION. Versions before PostgreSQL 16 are
unaffected.