Attacker Value
Low
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

CVE-2019-9193

Disclosure Date: April 01, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In PostgreSQL 9.3 through 11.2, the “COPY TO/FROM PROGRAM” function allows superusers and users in the ‘pg_execute_server_program’ group to execute arbitrary code in the context of the database’s operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

Add Assessment

1
Ratings
  • Attacker Value
    Low
  • Exploitability
    Very High
Technical Analysis

There’s some interesting debate around the couching of this as a vuln in PostgreSQL, itself, since the COPY TO/FROM PROGRAM is ostensibly documented to allow program execution. Certainly a good reminder to, in general, limit privs where possible (in this case, don’t grant ‘pg_execute_server_program’ to users who don’t require it).

CVSS V3 Severity and Metrics
Base Score:
None
Impact Score:
Unknown
Exploitability Score:
Unknown
Vector:
Unknown
Attack Vector (AV):
Unknown
Attack Complexity (AC):
Unknown
Privileges Required (PR):
Unknown
User Interaction (UI):
Unknown
Scope (S):
Unknown
Confidentiality (C):
Unknown
Integrity (I):
Unknown
Availability (A):
Unknown

General Information

Vendors

  • postgresql

Products

  • postgresql

Additional Info

Technical Analysis