Vulnerability Details : CVE-2020-10733
The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights.
Vulnerability category: File inclusionExecute code
Products affected by CVE-2020-10733
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
Threat overview for CVE-2020-10733
Top countries where our scanners detected CVE-2020-10733
Top open port discovered on systems with this issue
5432
IPs affected by CVE-2020-10733 185,064
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2020-10733!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2020-10733
0.05%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 20 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-10733
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | AV:L/AC:M/Au:N/C:P/I:P/A:P |
3.4
|
6.4
|
NIST | |
7.3
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
1.3
|
5.9
|
NIST |
CWE ids for CVE-2020-10733
-
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2020-10733
-
https://security.netapp.com/advisory/ntap-20201001-0006/
CVE-2020-10733 PostgreSQL Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.postgresql.org/about/news/2038/
PostgreSQL: PostgreSQL 12.3, 11.8, 10.13, 9.6.18, and 9.5.22 Released!Vendor Advisory
-
https://www.postgresql.org/support/security/11/
PostgreSQL: Security InformationVendor Advisory
Jump to