Cybersecurity specialists have reported detecting three security vulnerabilities in PostgreSQL, the popular object-oriented and open source database management system. According to the report, successful exploitation of these flaws would allow threat actors to deploy SQL injection attacks, as well as bypass security mechanisms on affected systems.
Below are brief descriptions of reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2020-25695: Inadequate disinfection of user input would allow threat actors to send specially crafted requests to the affected application in order to execute arbitrary SQL commands in the database.
The flaw received a score of 7.7/10 and its successful exploitation would allow remote threat actors to read, delete and even modify data on the affected system.
CVE-2020-25694: The presence of incorrect access restrictions allows threat actors to perform a Man-in-The-Middle (MiTM) attack, or view unencrypted text streams and degrade connection security settings.
This is an average severity flaw that received a score of 6.5/10 and its exploitation allows hackers to gain unauthorized access to functions that would otherwise be restricted.
CVE-2020-25696: The meta-command “Gset” does not distinguish variables that control psql behavior, so a threat actor could execute arbitrary code with an operating system account.
The flaw received a score of 6.5/10 on the CVSS scale. A successful attack could compromise the target system completely.
These vulnerabilities are present in the following versions of PostgreSQL: 9.5.0, 9.5.1, 9.5.2, 9.5.3, 9.5.4, 9.5.5, 9.5.6, 9.5.7, 9.5.8, 9.5.9, 9.5.10, 9.5.11, 9.5.12, 9.5.13, 9.5.14, 9.5.15, 9.5.16, 9.5.17, 9.5.18, 9.5.19, 9.5.20, 9.5.21, 9.5.22, 9.5.23, 9.6.0, 9.6.1, 9.6.2, 9.6.3, 9.6.4, 9.6.5, 9.6.6, 9.6.7, 9.6.8, 9.6.9, 9.6.10, 9.6.11, 9.6.12, 9.6.13, 9.6.14, 9.6.15, 9.6.16, 9.6.17, 9.6.18, 9.6.19, 10.0, 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.10.4, 10.11, 10.12, 10.13, 10.14, 11.0, 11.1, 11.2, 11.3, 11.4, 11.5, 11.6, 11.7, 11.8, 11.9, 12.0, 12.1, 12.2, 12.3, 12.4, 13.0.
While all three reported flaws can be exploited remotely by unauthenticated threat actors, specialists have not detected evidence of active exploitation of these vulnerabilities or the existence of attack-linked malware. Security patches are now available, so vulnerable installation administrators are advised to update as soon as possible.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.