A PostgreSQL superuser could escalate to root using a deficiency in the pg_ctlcluster command. pg_ctlcluster is a utility provided by the "postgresql-common" package that is installed with PostgreSQL on Debian and Ubuntu platforms.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 12 | 12.1 | Dec. 4, 2019 |
| 11 | 11.6 | Dec. 4, 2019 |
| 10 | 10.11 | Dec. 4, 2019 |
| 9.6 | 9.6.16 | Dec. 4, 2019 |
| 9.5 | 9.5.20 | Dec. 4, 2019 |
| 9.4 | 9.4.25 | Dec. 4, 2019 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 8.4 |
|---|---|
| Component | packaging |
| Vector | AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.