Given a suitable
SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires
EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example,
length('foo') are inexact, while
length('foo'::text) is exact.
As part of exploiting this vulnerability, the attacker uses
CREATE DOMAIN to create a type in a
pg_temp schema. The attack pattern and fix are similar to that for CVE-2007-2138.
SECURITY DEFINER functions continues to require following the considerations noted in the documentation:
The PostgreSQL project thanks Tom Lane for reporting this problem.
|Affected Version||Fixed In||Fix Published|
If you wish to report a new security vulnerability in PostgreSQL, please send an email to email@example.com.
For reporting non-security bugs, please see the Report a Bug page.