There is widespread mention in the media of a security vulnerability in PostgreSQL, registered as CVE-2019-9193. The PostgreSQL Security Team would like to emphasize that this is not a security vulnerability. We believe the CVE entry was filed in error. We have contacted the reporter to investigate the issue.
The COPY .. PROGRAM feature explicitly states that it can only be executed by database users that have been granted superuser privileges or the default role
pg_execute_server_program. By design, this feature allows one who is granted superuser or
pg_execute_server_program to perform actions as the operating system user the PostgreSQL server runs under (normally "postgres"). The default roles
pg_write_server_files that are mentioned in the CVE do not grant permission for a database user to use COPY .. PROGRAM.
By design, there exists no security boundary between a database superuser and the operating system user the server runs under. As such, by design the PostgreSQL server is not allowed to run as an operating system superuser (e.g. "root"). The features for COPY .. PROGRAM added in PostgreSQL 9.3 did not change any of the above, but added a new command within the same security boundaries that already existed.
We encourage all users of PostgreSQL to follow the best practice that is to never grant superuser access to remote or otherwise untrusted users. This is a standard security operating procedure that is followed in system administration and extends to database administration as well.
If you have more questions about this, we invite you to reach out to members of the community through one of our support resources: