{ "document": { "aggregate_severity": { "text": "High" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_docker/alpinelinux3.22/vex/2019/cve-2019-9193-els_docker-alpinelinux3_22.json" } ], "tracking": { "current_release_date": "2026-02-10T14:01:07Z", "generator": { "date": "2026-02-10T14:01:07Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-9193-ELS_DOCKER-ALPINELINUX3.22", "initial_release_date": "2019-04-01T21:30:00Z", "revision_history": [ { "date": "2019-04-01T21:30:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-12-24T10:57:49Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-29T12:11:55Z", "number": "3", "summary": "Update document" }, { "date": "2026-01-07T13:17:27Z", "number": "4", "summary": "Update document" }, { "date": "2026-01-29T16:56:20Z", "number": "5", "summary": "Update document" }, { "date": "2026-02-10T14:01:07Z", "number": "6", "summary": "Update document" } ], "status": "final", "version": "6" }, "title": "Security update on CVE-2019-9193" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Alpine Linux 3.22", "product": { "name": "Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22", "product_identification_helper": { "cpe": "cpe:2.3:o:alpinelinux:alpine_linux:3.22:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Alpine Linux" } ], "category": "vendor", "name": "Alpine Linux" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "postgresql11-11.22-rr1.x86_64", "product": { "name": "postgresql11-11.22-rr1.x86_64", "product_id": "postgresql11-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-client-11.22-rr1.x86_64", "product": { "name": "postgresql11-client-11.22-rr1.x86_64", "product_id": "postgresql11-client-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-client@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-contrib-11.22-rr1.x86_64", "product": { "name": "postgresql11-contrib-11.22-rr1.x86_64", "product_id": "postgresql11-contrib-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-contrib@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-dev-11.22-rr1.x86_64", "product": { "name": "postgresql11-dev-11.22-rr1.x86_64", "product_id": "postgresql11-dev-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-dev@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-doc-11.22-rr1.x86_64", "product": { "name": "postgresql11-doc-11.22-rr1.x86_64", "product_id": "postgresql11-doc-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-doc@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-openrc-11.22-rr1.x86_64", "product": { "name": "postgresql11-openrc-11.22-rr1.x86_64", "product_id": "postgresql11-openrc-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-openrc@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plperl-11.22-rr1.x86_64", "product": { "name": "postgresql11-plperl-11.22-rr1.x86_64", "product_id": "postgresql11-plperl-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plperl@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plperl-contrib-11.22-rr1.x86_64", "product": { "name": "postgresql11-plperl-contrib-11.22-rr1.x86_64", "product_id": "postgresql11-plperl-contrib-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plperl-contrib@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plpython3-11.22-rr1.x86_64", "product": { "name": "postgresql11-plpython3-11.22-rr1.x86_64", "product_id": "postgresql11-plpython3-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plpython3@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plpython3-contrib-11.22-rr1.x86_64", "product": { "name": "postgresql11-plpython3-contrib-11.22-rr1.x86_64", "product_id": "postgresql11-plpython3-contrib-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plpython3-contrib@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-pltcl-11.22-rr1.x86_64", "product": { "name": "postgresql11-pltcl-11.22-rr1.x86_64", "product_id": "postgresql11-pltcl-11.22-rr1.x86_64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-pltcl@11.22-rr1?arch=x86_64&os_name=alpine&os_version=3.22" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "postgresql11-doc-11.22-rr1.aarch64", "product": { "name": "postgresql11-doc-11.22-rr1.aarch64", "product_id": "postgresql11-doc-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-doc@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plperl-contrib-11.22-rr1.aarch64", "product": { "name": "postgresql11-plperl-contrib-11.22-rr1.aarch64", "product_id": "postgresql11-plperl-contrib-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plperl-contrib@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plpython3-contrib-11.22-rr1.aarch64", "product": { "name": "postgresql11-plpython3-contrib-11.22-rr1.aarch64", "product_id": "postgresql11-plpython3-contrib-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plpython3-contrib@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-pltcl-11.22-rr1.aarch64", "product": { "name": "postgresql11-pltcl-11.22-rr1.aarch64", "product_id": "postgresql11-pltcl-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-pltcl@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-dev-11.22-rr1.aarch64", "product": { "name": "postgresql11-dev-11.22-rr1.aarch64", "product_id": "postgresql11-dev-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-dev@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-openrc-11.22-rr1.aarch64", "product": { "name": "postgresql11-openrc-11.22-rr1.aarch64", "product_id": "postgresql11-openrc-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-openrc@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plperl-11.22-rr1.aarch64", "product": { "name": "postgresql11-plperl-11.22-rr1.aarch64", "product_id": "postgresql11-plperl-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plperl@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-11.22-rr1.aarch64", "product": { "name": "postgresql11-11.22-rr1.aarch64", "product_id": "postgresql11-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-client-11.22-rr1.aarch64", "product": { "name": "postgresql11-client-11.22-rr1.aarch64", "product_id": "postgresql11-client-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-client@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-contrib-11.22-rr1.aarch64", "product": { "name": "postgresql11-contrib-11.22-rr1.aarch64", "product_id": "postgresql11-contrib-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-contrib@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } }, { "category": "product_version", "name": "postgresql11-plpython3-11.22-rr1.aarch64", "product": { "name": "postgresql11-plpython3-11.22-rr1.aarch64", "product_id": "postgresql11-plpython3-11.22-rr1.aarch64", "product_identification_helper": { "purl": "pkg:apk/tuxcare/postgresql11-plpython3@11.22-rr1?arch=aarch64&os_name=alpine&os_version=3.22" } } } ], "category": "architecture", "name": "aarch64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "postgresql11-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-11.22-rr1.x86_64" }, "product_reference": "postgresql11-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-client-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.x86_64" }, "product_reference": "postgresql11-client-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-contrib-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.x86_64" }, "product_reference": "postgresql11-contrib-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-dev-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.x86_64" }, "product_reference": "postgresql11-dev-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-doc-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.x86_64" }, "product_reference": "postgresql11-doc-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-openrc-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.x86_64" }, "product_reference": "postgresql11-openrc-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plperl-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.x86_64" }, "product_reference": "postgresql11-plperl-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plperl-contrib-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.x86_64" }, "product_reference": "postgresql11-plperl-contrib-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plpython3-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.x86_64" }, "product_reference": "postgresql11-plpython3-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plpython3-contrib-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.x86_64" }, "product_reference": "postgresql11-plpython3-contrib-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-pltcl-11.22-rr1.x86_64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.x86_64" }, "product_reference": "postgresql11-pltcl-11.22-rr1.x86_64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-doc-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.aarch64" }, "product_reference": "postgresql11-doc-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plperl-contrib-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.aarch64" }, "product_reference": "postgresql11-plperl-contrib-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plpython3-contrib-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.aarch64" }, "product_reference": "postgresql11-plpython3-contrib-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-pltcl-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.aarch64" }, "product_reference": "postgresql11-pltcl-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-dev-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.aarch64" }, "product_reference": "postgresql11-dev-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-openrc-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.aarch64" }, "product_reference": "postgresql11-openrc-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plperl-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.aarch64" }, "product_reference": "postgresql11-plperl-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-11.22-rr1.aarch64" }, "product_reference": "postgresql11-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-client-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.aarch64" }, "product_reference": "postgresql11-client-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-contrib-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.aarch64" }, "product_reference": "postgresql11-contrib-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql11-plpython3-11.22-rr1.aarch64 as a component of Alpine Linux 3.22", "product_id": "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.aarch64" }, "product_reference": "postgresql11-plpython3-11.22-rr1.aarch64", "relates_to_product_reference": "Alpine-Linux-3.22" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-9193", "cwe": { "id": "CWE-78", "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')" }, "notes": [ { "category": "description", "text": "In PostgreSQL 9.3 through 11.2, the \"COPY TO/FROM PROGRAM\" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" }, { "category": "other", "text": "TuxCare has assessed that this vulnerability does not impact any currently supported TuxCare products. This evaluation may change as new information becomes available. For additional details regarding this vulnerability and affected products, refer to the provided references.", "title": "Statement" } ], "product_status": { "known_not_affected": [ "Alpine-Linux-3.22:postgresql11-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-9193" }, { "category": "external", "summary": "http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html", "url": "http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html" }, { "category": "external", "summary": "http://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.html", "url": "http://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.html" }, { "category": "external", "summary": "http://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.html", "url": "http://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.html" }, { "category": "external", "summary": "https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/", "url": "https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/" }, { "category": "external", "summary": "https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5", "url": "https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5" }, { "category": "external", "summary": "https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/", "url": "https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/" }, { "category": "external", "summary": "https://security.netapp.com/advisory/ntap-20190502-0003/", "url": "https://security.netapp.com/advisory/ntap-20190502-0003/" }, { "category": "external", "summary": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authenticated-arbitrary-command-execution-on-postgresql-9-3/", "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authenticated-arbitrary-command-execution-on-postgresql-9-3/" } ], "release_date": "2019-04-01T21:30:00Z", "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.0" }, "products": [ "Alpine-Linux-3.22:postgresql11-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Important" }, { "category": "impact", "details": "Not affected: CVE‑2019‑9193 was filed in error. COPY TO/FROM PROGRAM is intentional PostgreSQL functionality that is callable only by database superusers or roles explicitly granted pg_execute_server_program, and there is no security boundary between those highly privileged roles and the operating system user the server runs as. Because the feature does not grant new privileges or enable escalation for unprivileged users, it does not introduce additional risk beyond existing superuser capabilities.", "product_ids": [ "Alpine-Linux-3.22:postgresql11-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-client-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-dev-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-doc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-openrc-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plperl-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-plpython3-contrib-11.22-rr1.x86_64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.aarch64", "Alpine-Linux-3.22:postgresql11-pltcl-11.22-rr1.x86_64" ] } ] } ] }