Login Sign Up

CVE-2020-14350

7.3 HIGH

📋 TL;DR

This CVE describes a PostgreSQL vulnerability where certain extensions don't properly secure their installation scripts against search_path manipulation. Attackers with sufficient database privileges can trick administrators into executing malicious scripts during extension installation or updates. This affects PostgreSQL versions before specific security releases.

💻 Affected Systems

Products:
  • PostgreSQL
Versions: Versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23
Operating Systems: All operating systems running affected PostgreSQL versions
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects systems where PostgreSQL extensions are being installed or updated by administrators. Requires attacker to have sufficient database privileges to influence the installation process.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Leap by Opensuse

View all CVEs affecting Leap →

Leap by Opensuse

View all CVEs affecting Leap →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

Ubuntu Linux by Canonical

View all CVEs affecting Ubuntu Linux →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could execute arbitrary code with database administrator privileges, potentially leading to full database compromise, data exfiltration, or lateral movement to the underlying operating system.

🟠

Likely Case

Privileged database users could escalate privileges, manipulate data, or install backdoors within the PostgreSQL environment.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to the database layer with no operating system compromise.

🌐 Internet-Facing: MEDIUM - While exploitation requires database privileges, internet-facing PostgreSQL instances with weak authentication could be vulnerable.
🏢 Internal Only: MEDIUM - Internal attackers with database access could exploit this, but requires specific conditions during extension management.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires: 1) Attacker with CREATE privilege or higher, 2) Administrator installing/updating vulnerable extensions, 3) Ability to influence search_path during installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PostgreSQL 12.4, 11.9, 10.14, 9.6.19, 9.5.23

Vendor Advisory: https://www.postgresql.org/support/security/

Restart Required: Yes

Instructions:

1. Backup your PostgreSQL database. 2. Stop PostgreSQL service. 3. Upgrade to patched version using your distribution's package manager or PostgreSQL binaries. 4. Restart PostgreSQL service. 5. Verify upgrade completed successfully.

🔧 Temporary Workarounds

Restrict extension installation

all

Limit who can install PostgreSQL extensions and monitor extension installation activities

REVOKE CREATE ON SCHEMA public FROM PUBLIC;
CREATE ROLE extension_installer;
GRANT CREATE ON SCHEMA public TO extension_installer;

Secure search_path for administrators

all

Set secure search_path for database administrators during extension operations

ALTER ROLE admin_user SET search_path = "\"$user\", public";

🧯 If You Can't Patch

  • Implement strict access controls: Only allow trusted administrators to install/update extensions
  • Monitor and audit all extension installation activities and review installation scripts before execution

🔍 How to Verify

Check if Vulnerable:

Check PostgreSQL version: SELECT version(); If version is earlier than patched versions listed above, system is vulnerable.

Check Version:

psql -c 'SELECT version();'

Verify Fix Applied:

After patching, verify version shows patched release and test extension installation procedures.

📡 Detection & Monitoring

Log Indicators:

  • Unusual extension installation activities
  • Multiple failed extension installation attempts
  • Administrator account performing unexpected CREATE operations

Network Indicators:

  • Unusual database connection patterns during maintenance windows

SIEM Query:

source="postgresql.log" AND ("CREATE EXTENSION" OR "ALTER EXTENSION") AND NOT user IN (allowed_admin_users)

📊 Metadata

CVE ID: CVE-2020-14350
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-426
Published: August 24, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14350, you might also want to check these:

CVE-2023-30330 9.8

SoftExpert Excellence Suite 2.x versions before 2.1.3 contain a Local File Inclusion vulnerability i...

Same vulnerability type (CWE-426)
CVE-2025-26155 9.8

This CVE describes an Untrusted Search Path vulnerability in NCP VPN clients that allows attackers t...

Same vulnerability type (CWE-426)
CVE-2020-15801 9.8

This vulnerability in Python 3.8.4 allows attackers to bypass sys.path restrictions specified in pyt...

Same vulnerability type (CWE-426)