N/A

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

N/A

宽松定义的白名单

PostgreSQL 安全漏洞

PostgreSQL是Postgresql组织的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性，例如外键、触发器、视图等。 PostgreSQL 12.5之前版本存在安全漏洞，该漏洞源于gset 允许覆盖经过特殊处理的变量，gset命令根据查询结果设置psql变量，该命令不区分控制psql行为的变量。攻击者可利用该漏洞执行任意代码作为运行psql的操作系统帐户

N/A

N/A