pg_ctlcluster script in postgresql-common does not drop privileges when creating socket/statistics temporary directories

A PostgreSQL superuser could escalate to root using a deficiency in the pg_ctlcluster command. pg_ctlcluster is a utility provided by the "postgresql-common" package that is installed with PostgreSQL on Debian and Ubuntu platforms.

Version Information

Affected Version Fixed In Fix Published
12 12.1 2019-12-04
11 11.6 2019-12-04
10 10.11 2019-12-04
9.6 9.6.16 2019-12-04
9.5 9.5.20 2019-12-04
9.4 9.4.25 2019-12-04

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 8.4
Component packaging
Vector AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to

For reporting non-security bugs, please see the Report a Bug page.