An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.
While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running
REFRESH MATERIALIZED VIEW, or a restore from output of the
pg_dump command. Performance may degrade quickly under this workaround.
VACUUM without the
FULL option is safe, and all commands are fine when a trusted user owns the target object.
The PostgreSQL project thanks Etienne Stalmans for reporting this problem.
|Affected Version||Fixed In||Fix Published|
If you wish to report a new security vulnerability in PostgreSQL, please send an email to email@example.com.
For reporting non-security bugs, please see the Report a Bug page.