CVE-2019-9193: PostgreSQL Arbitrary Code Execution Vulnerability Alert

Recently, security researchers have disclosed the vulnerability details of the PostgreSQL Instance code execution vulnerability (CVE-2019-9193). An attacker with database server file read permissions can exploit this vulnerability to execute arbitrary system commands.

Image: Greenwolf

Vulnerability overview

Recently, security researchers have disclosed the vulnerability details of the PostgreSQL Instance code execution vulnerability (CVE-2019-9193). An attacker with database server file read permissions can exploit this vulnerability to execute arbitrary system commands.

PostgreSQL is powerful database software that runs on all major operating systems including Linux, Windows, Mac OS X and more. The disclosed vulnerability exists in the command “COPY TO/FROM PROGRAM” for importing and exporting data. After the user in the “pg_read_server_files” group executes the above command, the database superuser authority can be obtained, thereby executing any system command.

Affected version

• PostgreSQL >=9.3

Solution suggestion

The pg_read_server_files, pg_write_server_files, and pg_execute_server_program roles involve reading and writing database server files with large permissions. Careful consideration should be given when assigning this role permission to database users.