Re: BUG #15731: CVE-2019-9193

This is not a security vulnerability in the product. It is behaving exactly
as intended. It may be misconfigured in some deployments, but it's not a
product vulnerability.

/Magnus

On Wed, Apr 3, 2019, 09:39 PG Bug reporting form <noreply(at)postgresql(dot)org>
wrote:

> The following bug has been logged on the website:
>
> Bug reference: 15731
> Logged by: Abhijit Rajwade
> Email address: abhijit_rajwade(at)bmc(dot)com
> PostgreSQL version: 11.2
> Operating system: Linux
> Description:
>
> Sonatype Nexus Audior is reporting the following Threat level 9
> vulnerability on Postgres
>
> Vulnerability
>
> Issue CVE-2019-9193
> Severity Sonatype CVSS 3.0: 9.8
> Weakness Sonatype CWE: 94
> Source National Vulnerability Database
> Categories Data
>
> Description
>
> Description from CVE
> In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows
> superusers and users in the 'pg_read_server_files' group to execute
> arbitrary code in the context of the database's operating system user. This
> functionality is enabled by default and can be abused to run arbitrary
> operating system commands on Windows, Linux, and macOS.
>
> Root Cause
> postgresql-42.2.5.jar : [9.3, )
>
> Advisories
> Third Party:
>
> https://github.com/iiiusky/vulhub/commit/88c8816c6f8825030ade34c63c745757ca818fc0#diff-ceb08c22f5e392636bdb77b8562ce0fd
> Third Party:
>
> https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
>
> CVSS Details
> Sonatype CVSS 3.0: 9.8
> CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>
>
> Can you please have the above Security vulnerability fixed?
>
> --- Abhijit Rajwade
>
>