Critical rights gap in PostgreSQL closed

By: MRT Desk

Published on:

Critical rights gap in PostgreSQL closed

Attackers could attack systems with the PostgreSQL database management system and obtain higher user rights. A security patch is available for download.

The vulnerability (CVE-2021-38140) is considered to be “critical“. The developers indicate in a warning message, the vulnerability in set_user-Extension-Modul 2.0.1 to have closed. In order to obtain higher rights, attackers would have to call the set_user()Function trigger a RESET-SESSION-AUTHORIZATION state. That should now be blocked.

It is currently not known how attacks could take place. Due to the critical classification of the vulnerability, admins should bring their PostgreSQL installations up to date as soon as possible. How it works, can be read on Github.


Article Source