pg_ctlcluster script in postgresql-common does not drop privileges when creating socket/statistics temporary directories

A PostgreSQL superuser could escalate to root using a deficiency in the pg_ctlcluster command. pg_ctlcluster is a utility provided by the "postgresql-common" package that is installed with PostgreSQL on Debian and Ubuntu platforms.

Version Information

Affected Version Fixed In Fix Published
12 12.1 Dec. 4, 2019
11 11.6 Dec. 4, 2019
10 10.11 Dec. 4, 2019
9.6 9.6.16 Dec. 4, 2019
9.5 9.5.20 Dec. 4, 2019
9.4 9.4.25 Dec. 4, 2019

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.4
Component packaging
Vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.