| Vulnerability Name: | CVE-2019-10127 (CCN-160900) | ||||||||||||||||
| Assigned: | 2019-05-09 | ||||||||||||||||
| Published: | 2019-05-09 | ||||||||||||||||
| Updated: | 2022-01-01 | ||||||||||||||||
| Summary: | A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files. | ||||||||||||||||
| CVSS v3 Severity: | 8.8 High (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) 7.7 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
6.8 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)
| ||||||||||||||||
| CVSS v2 Severity: | 4.3 Medium (CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P)
| ||||||||||||||||
| Vulnerability Type: | CWE-284 | ||||||||||||||||
| Vulnerability Consequences: | Gain Access | ||||||||||||||||
| References: | Source: MITRE Type: CNA CVE-2019-10127 Source: MISC Type: Issue Tracking, Third Party Advisory https://bugzilla.redhat.com/show_bug.cgi?id=1707098 Source: XF Type: UNKNOWN postgresql-cve201910127-code-exec(160900) Source: CONFIRM Type: Third Party Advisory https://security.netapp.com/advisory/ntap-20210430-0004/ Source: CCN Type: IBM Security Bulletin 6188541 (Robotic Process Automation with Automation Anywhere) PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere Source: CCN Type: PostgreSQL Web site PostgreSQL 11.3, 10.8, 9.6.13, 9.5.17, and 9.4.22 Released! Source: MISC Type: Patch, Release Notes, Vendor Advisory https://www.postgresql.org/about/news/1939/ | ||||||||||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||||||||||
| Oval Definitions | |||||||||||||||||
| |||||||||||||||||
| BACK | |||||||||||||||||