The EnterpriseDB Windows installer writes a password to a temporary file in its installation directory, creates initial databases, and deletes the file. During those seconds while the file exists, a local attacker can read the PostgreSQL superuser password from the file.
The PostgreSQL project thanks Noah Misch for reporting this problem.
|Affected Version||Fixed In||Fix Published|
If you wish to report a new security vulnerability in PostgreSQL, please send an email to firstname.lastname@example.org.
For reporting non-security bugs, please see the Report a Bug page.