PostgreSQL Bugs

Collected from the PG bugs email list.

Bug ID15731
PG Version11.2
Opened2019-04-03 07:38:50+00
Reported byAbhijit Rajwade

Body of first available message related to this bug follows.

The following bug has been logged on the website:

Bug reference:      15731
Logged by:          Abhijit Rajwade
Email address:      (redacted)
PostgreSQL version: 11.2
Operating system:   Linux

Sonatype Nexus Audior is reporting the following Threat level 9
vulnerability on Postgres


Issue CVE-2019-9193 
Severity Sonatype CVSS 3.0: 9.8 
Weakness Sonatype CWE: 94 
Source National Vulnerability Database 
Categories Data 


Description from CVE
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
superusers and users in the 'pg_read_server_files' group to execute
arbitrary code in the context of the database's operating system user. This
functionality is enabled by default and can be abused to run arbitrary
operating system commands on Windows, Linux, and macOS. 

Root Cause
postgresql-42.2.5.jar : [9.3, ) 

    Third Party:
    Third Party:

CVSS Details
    Sonatype CVSS 3.0: 9.8
    CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 

Can you please have the above Security vulnerability fixed?

--- Abhijit Rajwade


2019-04-03 07:38:50+00PG Bug reporting formBUG #15731: CVE-2019-9193
2019-04-03 07:42:53+00Magnus HaganderRe: BUG #15731: CVE-2019-9193
2019-04-03 07:46:57+00"Rajwade, Abhijit"RE: Re: BUG #15731: CVE-2019-9193
2019-04-03 08:10:21+00Magnus HaganderRe: Re: BUG #15731: CVE-2019-9193