cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,exploited_date,poc,trended,trended_no_1,trended_no_1_date,published,trended_score
CVE-2025-1094,https://securityvulnerability.io/vulnerability/CVE-2025-1094,SQL Injection Vulnerability in PostgreSQL libpq Functions and Command Line Utilities,"This vulnerability arises from improper handling of quoting syntax in PostgreSQL libpq functions, which can allow SQL injection through specific usage patterns. Attackers can leverage this flaw when application input from these functions is used improperly, especially in the construction of commands for psql, the PostgreSQL interactive terminal. Additionally, the improper neutralization of quoting can also impact command line utility operations when certain encoding configurations are specified, making it a relevant threat for versions prior to PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19.",PostgreSQL,Postgresql,8.1,HIGH,0.0004299999854993075,false,,true,false,true,2025-02-14T05:03:12.000Z,true,true,false,,2025-02-13T13:00:02.061Z,7485
CVE-2024-10977,https://securityvulnerability.io/vulnerability/CVE-2024-10977,PostgreSQL Server Error Message Vulnerability Affects Multiple Versions,"A vulnerability in PostgreSQL allows a compromised server, when using inadequate SSL or GSS settings, to serve arbitrary non-NUL bytes to the libpq application. This can mislead users or automated scripts into thinking that they received valid query results instead of error messages. Particularly in environments where the user interface does not clearly delineate between error messages and other text, this could lead to confusion and potentially exploit opportunities for attackers. Affected versions include those earlier than PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.",PostgreSQL,PostgreSQL,3.7,LOW,0.0004600000102072954,false,,false,false,false,,,false,false,,2024-11-14T13:15:00.000Z,0
CVE-2024-10979,https://securityvulnerability.io/vulnerability/CVE-2024-10979,Unprivileged User Can Execute Arbitrary Code via Environment Variables,"The PostgreSQL open-source database system has a high-severity security flaw (CVE-2024-10979) that allows unprivileged users to alter environment variables, potentially leading to code execution or information disclosure. This vulnerability could enable an attacker to execute arbitrary code by modifying environment variables such as PATH, or extract valuable information by running malicious queries. Exploitation has not been reported, and the issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to update their systems to prevent potential code execution and data breaches.",PostgreSQL,Postgresql,8.8,HIGH,0.000699999975040555,false,,true,false,true,2024-11-15T16:51:27.000Z,,false,false,,2024-11-14T13:15:00.000Z,223
CVE-2024-10976,https://securityvulnerability.io/vulnerability/CVE-2024-10976,Row Security Issues in PostgreSQL Affecting Multiple Versions,"The vulnerability arises from incomplete tracking in PostgreSQL regarding tables that utilize row-level security. It enables attackers to manipulate reused queries in a way that they can access or alter unintended data. Specifically, when applications define row security policies using CREATE POLICY, incorrect role-specific policies might be applied during query execution under alternate user roles. This could allow unauthorized data reads or modifications, particularly in scenarios involving security definer functions or shared user queries reused across multiple roles. The vulnerability impacts numerous PostgreSQL versions prior to the specified updates, underscoring the importance of implementing the necessary patches to maintain data integrity and security.",PostgreSQL,PostgreSQL Database,5.4,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-11-14T13:15:00.000Z,0
CVE-2024-10978,https://securityvulnerability.io/vulnerability/CVE-2024-10978,Privilege Escalation in PostgreSQL Affects Multiple Versions,"A vulnerability in PostgreSQL arises from incorrect privilege assignments that permit a less-privileged application user to access, view, or alter data that was not intended for them. The issue is particularly significant when applications utilize commands such as SET ROLE or SET SESSION AUTHORIZATION, enabling an attacker to manipulate queries or retrieve information in a manner that circumvents the intended security controls. This vulnerability allows for potential unauthorized modification or exposure of sensitive data when application queries incorporate attacker-controlled parameters or present query results to the attacker. Affected versions include those prior to PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.",PostgreSQL Global Development Group,Postgresql,4.2,MEDIUM,0.0012799999676644802,false,,false,false,false,,,false,false,,2024-11-14T13:15:00.000Z,0
CVE-2024-7348,https://securityvulnerability.io/vulnerability/CVE-2024-7348,Attackers Can Execute Arbitrary SQL Functions via Time-of-check Time-of-use Race Condition in PostgreSQL's pg_dump,"The vulnerability identified as CVE-2024-7348 in the PostgreSQL database system allows attackers to execute arbitrary SQL functions, posing a significant security risk, particularly for superusers running the pg_dump utility. This is a Time-of-check Time-of-use (TOCTOU) race condition that can be exploited by replacing relation types with a view or foreign table. The attack is particularly easy to win if the attacker maintains an open transaction. Systems running PostgreSQL versions prior to 16.4, 15.8, 14.13, 13.16, and 12.20 are affected, and the PostgreSQL project has released patches for these versions. It is important for users to update their systems promptly to mitigate the risk of unauthorized SQL function execution. The vulnerability has been assigned a high severity rating due to its potential confidentiality, integrity, and availability impacts. The attack has not been exploited in the wild, and there is no evidence of ransomware groups targeting this vulnerability.",PostgreSQL,Postgresql,7.5,HIGH,0.0005000000237487257,false,,true,false,false,,,false,false,,2024-08-08T13:15:00.000Z,0
CVE-2024-4317,https://securityvulnerability.io/vulnerability/CVE-2024-4317,Unprivileged User Can Read Most Common Values and Other Statistics from Create Statistics Commands of Other Users,"Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.",PostgreSQL,Postgresql,4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,,false,false,,2024-05-14T15:43:00.000Z,0
CVE-2024-0985,https://securityvulnerability.io/vulnerability/CVE-2024-0985,Late Privilege Drop Vulnerability in PostgreSQL Allows Arbitrary SQL Execution,"A late privilege drop vulnerability in the REFRESH MATERIALIZED VIEW CONCURRENTLY command of PostgreSQL can be exploited by an object creator to execute arbitrary SQL functions under the privileges of the command issuer. This vulnerability compromises the intended safety of refreshing untrusted materialized views, placing superusers or users with assigned roles at risk if they are manipulated into executing specific commands on the attacker's materialized view. Versions of PostgreSQL prior to 16.2, 15.6, 14.11, 13.14, and 12.18 may be particularly vulnerable, necessitating immediate security measures for affected installations.",PostgreSQL,Postgresql,8,HIGH,0.00171999994199723,false,,true,false,false,,,false,false,,2024-02-08T13:00:02.411Z,0
CVE-2020-21469,https://securityvulnerability.io/vulnerability/CVE-2020-21469,Denial of Service Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"A vulnerability in PostgreSQL 12.2 allows for a denial of service by sending SIGHUP signals repeatedly. Although the ability to send these signals is limited to PostgreSQL superusers or users with specific privileges, the concern highlights the importance of implementation controls. Unauthorized users cannot initiate this process, which suggests that the impact is primarily on users with advanced permissions. Thorough configuration management and user access controls are essential for protecting databases against such vulnerabilities.",Postgresql,Postgresql,4.4,MEDIUM,0.0004199999966658652,false,,false,false,false,,,false,false,,2023-08-22T00:00:00.000Z,0
CVE-2023-2455,https://securityvulnerability.io/vulnerability/CVE-2023-2455,Row Security Policy Flaw in PostgreSQL by PostgreSQL Global Development Group,"This vulnerability arises from the failure of PostgreSQL to properly manage role-specific row security policies when user IDs change during query execution. In scenarios where role-specific policies are defined, such as using security definer functions or when switching between multiple roles, incorrect policy enforcement may occur. This allows unauthorized users to execute read and modification operations that should be restricted, exploiting instances where CREATE POLICY has been applied to define these security measures. Affected databases may inadvertently permit violations of intended access controls, putting sensitive data at risk.",Postgresql,postgresql,5.4,MEDIUM,0.0009299999801442027,false,,false,false,false,,,false,false,,2023-06-09T00:00:00.000Z,0
CVE-2023-2454,https://securityvulnerability.io/vulnerability/CVE-2023-2454,Arbitrary Code Execution Vulnerability in PostgreSQL by Red Hat,"A specific vulnerability in PostgreSQL allows authenticated attackers with elevated database-level privileges to execute arbitrary code. The issue arises when certain database calls bypass protective changes to the search_path, potentially compromising the database's integrity. This could lead to unauthorized actions within the database, thereby representing a significant risk for systems that rely on this database management system.",Postgresql,postgresql,7.2,HIGH,0.004470000043511391,false,,false,false,false,,,false,false,,2023-06-09T00:00:00.000Z,0
CVE-2023-0241,https://securityvulnerability.io/vulnerability/CVE-2023-0241,Directory Traversal Vulnerability in pgAdmin 4 by pgAdmin Team,"A directory traversal vulnerability found in pgAdmin 4 versions prior to v6.19 allows an attacker to manipulate the file paths used by the application. This vulnerability can potentially enable a user to change another user's settings or modify the database without proper authorization, posing significant security risks. It is crucial for users of pgAdmin 4 to update to the latest version to mitigate these vulnerabilities and protect their data integrity.",Postgresql,Pgadmin,6.5,MEDIUM,0.000859999970998615,false,,false,false,false,,,false,false,,2023-03-27T00:00:00.000Z,0
CVE-2022-41862,https://securityvulnerability.io/vulnerability/CVE-2022-41862,Unauthenticated Server Vulnerability in PostgreSQL Affects Libpq Clients,"In certain configurations of PostgreSQL, an unauthenticated server may exploit a flaw during the establishment of Kerberos transport encryption. This can lead to a libpq client over-reading its input, potentially resulting in error messages that reveal uninitialized memory bytes. This could expose sensitive information or allow for further attacks against client applications that rely on PostgreSQL for secure database transactions.",Postgresql,Postgresql,3.7,LOW,0.0006399999838322401,false,,false,false,false,,,false,false,,2023-03-03T00:00:00.000Z,0
CVE-2022-4223,https://securityvulnerability.io/vulnerability/CVE-2022-4223,Improperly Secured API in pgAdmin Affects PostgreSQL Path Validation,"The pgAdmin server incorporates an HTTP API designed to validate user-selected paths to PostgreSQL utilities, such as pg_dump and pg_restore. However, versions of pgAdmin prior to 6.17 have inadequately secured this API, allowing unauthenticated users to specify arbitrary paths. This weakness can lead to unexpected execution of executables from a defined path on the server, posing a significant risk to system integrity and data security.",Postgresql,Pgadmin4,8.8,HIGH,0.013199999928474426,false,,false,false,false,,,false,false,,2022-12-13T00:00:00.000Z,0
CVE-2022-1552,https://securityvulnerability.io/vulnerability/CVE-2022-1552,Privilege Escalation Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"A flaw exists within PostgreSQL that allows a privileged user operating on another user's objects to sidestep essential protections during certain database commands. Commands like Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck may activate protections inadequately or too late. Consequently, an attacker with permissions to create non-temporary objects in a schema can execute arbitrary SQL functions with superuser rights, potentially compromising database integrity.",Postgresql,Postgresql,8.8,HIGH,0.0026100000832229853,false,,false,false,false,,,false,false,,2022-08-31T00:00:00.000Z,0
CVE-2021-43767,https://securityvulnerability.io/vulnerability/CVE-2021-43767,Unencrypted Byte Injection in Odyssey with PostgreSQL,"The Odyssey server application is susceptible to a vulnerability where it may inadvertently relay unencrypted bytes from a man-in-the-middle attacker to the client when it is set up to use PostgreSQL with 'trust' authentication or 'cert' authentication. This situation allows attackers to inject erroneous responses to the initial queries sent by the client, effectively masquerading these responses as legitimate server replies. This flaw undermines the expected SSL certificate verification, potentially exposing sensitive data to unauthorized entities.",Postgresql,Odyssey,5.9,MEDIUM,0.0005200000014156103,false,,false,false,false,,,false,false,,2022-08-25T17:27:39.000Z,0
CVE-2022-2625,https://securityvulnerability.io/vulnerability/CVE-2022-2625,Arbitrary Code Execution Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"This vulnerability in PostgreSQL allows an attacker with the required permissions to leverage the ability to create non-temporary objects in a schema. By luring or waiting for an administrator to create or update an affected extension, the attacker can gain the ability to execute arbitrary code with the same privileges as the victim role, potentially including superuser rights. Successful exploitation necessitates a strategic combination of user interaction and permission manipulation, making it crucial for users to apply timely updates and implement security best practices.",Postgresql,Postgresql,8,HIGH,0.002309999894350767,false,,false,false,false,,,false,false,,2022-08-18T00:00:00.000Z,0
CVE-2022-0959,https://securityvulnerability.io/vulnerability/CVE-2022-0959,File Upload Vulnerability in pgAdmin by Red Hat,"An authenticated user can exploit a vulnerability in pgAdmin, allowing them to upload files to any writable location on the operating system. This risk arises when a user leverages their existing CSRF token and session cookie, potentially leading to unauthorized access or malicious file uploads, compromising system integrity.",Postgresql,Pgadmin,6.5,MEDIUM,0.0005699999746866524,false,,false,false,false,,,false,false,,2022-03-16T14:03:38.000Z,0
CVE-2022-26520,https://securityvulnerability.io/vulnerability/CVE-2022-26520,File Manipulation Vulnerability in pgjdbc Driver Affecting Applications,"A vulnerability exists in the pgjdbc JDBC driver prior to version 42.3.3 that allows an attacker with control over the JDBC URL or properties to exploit the loggerFile and loggerLevel connection properties. This can result in the ability to write arbitrary files to the system, including creating executable JSP files within a Tomcat web root. While the vendor asserts that the risk lies with any application using the pgjdbc driver with untrusted connection properties, it highlights the importance of securing application configurations to prevent unauthorized file access and execution.",Postgresql,Postgresql Jdbc Driver,9.8,CRITICAL,0.0030499999411404133,false,,false,false,false,,,false,false,,2022-03-10T17:47:00.000Z,0
CVE-2021-23214,https://securityvulnerability.io/vulnerability/CVE-2021-23214,SQL Injection Vulnerability in PostgreSQL with Trust Authentication,"A vulnerability exists in the PostgreSQL database when configured with trust authentication alongside a client certificate requirement. This can allow a man-in-the-middle attacker to craft and inject arbitrary SQL queries during the initial connection setup. This occurs even with SSL certificate verification and encryption enabled, exposing users to significant risk if they do not secure their database instances properly.",Postgresql,Postgresql,8.1,HIGH,0.001970000099390745,false,,false,false,false,,,false,false,,2022-03-04T00:00:00.000Z,0
CVE-2021-3677,https://securityvulnerability.io/vulnerability/CVE-2021-3677,Memory Exposure Vulnerability in PostgreSQL by PostgreSQL Global Development Group,"A vulnerability in PostgreSQL allows authenticated users to execute specially crafted queries that can read arbitrary bytes from the server's memory. This flaw can be exploited without the need for additional privileges, making it a significant risk in default configurations. The severity of the attack can vary depending on the server settings, specifically if 'max_worker_processes' is set to 0, making some known exploit variants infeasible. However, there may exist undiscovered attack variants that are not limited by this server configuration. Database administrators should assess their systems to ensure they are protected against this memory exposure risk.",Postgresql,Postgresql,6.5,MEDIUM,0.000910000002477318,false,,false,false,false,,,false,false,,2022-03-02T00:00:00.000Z,0
CVE-2021-23222,https://securityvulnerability.io/vulnerability/CVE-2021-23222,Man-in-the-Middle Vulnerability in PostgreSQL,"This vulnerability allows a man-in-the-middle attacker to exploit the initial communication between the client and PostgreSQL server. Even with SSL certificate verification and encryption in place, attackers can inject false responses to the client's initial queries. This exposes sensitive data and undermines the integrity of the communication, making it crucial for users to update their PostgreSQL installations to mitigate this risk.",Postgresql,Postgresql,5.9,MEDIUM,0.0010999999940395355,false,,false,false,false,,,false,false,,2022-03-02T00:00:00.000Z,0
CVE-2022-21724,https://securityvulnerability.io/vulnerability/CVE-2022-21724,Unchecked Class Instantiation when providing Plugin Classes,"pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.",Postgresql,Postgresql Jdbc Driver,7,HIGH,0.00949000008404255,false,,false,false,false,,,false,false,,2022-02-02T11:48:52.000Z,0
CVE-2021-32028,https://securityvulnerability.io/vulnerability/CVE-2021-32028,PostgreSQL Memory Disclosure Vulnerability by PostgreSQL,"A security flaw exists in PostgreSQL that allows an authenticated database user to exploit a crafted table using the INSERT ... ON CONFLICT ... DO UPDATE command, potentially leading to the exposure of arbitrary bytes from the server's memory. This weakness raises significant concerns regarding data confidentiality, making sensitive information vulnerable to unauthorized access.",Postgresql,Postgresql,6.5,MEDIUM,0.0007200000109151006,false,,false,false,false,,,false,false,,2021-10-11T00:00:00.000Z,0
CVE-2021-32029,https://securityvulnerability.io/vulnerability/CVE-2021-32029,Memory Exposure Vulnerability in PostgreSQL by Community Distribution,"A vulnerability in PostgreSQL allows an authenticated database user to exploit the UPDATE ... RETURNING command on specially crafted tables, potentially revealing arbitrary bytes of server memory. This may lead to unintentional exposure of sensitive data, posing risks to data confidentiality.",Postgresql,Postgresql,6.5,MEDIUM,0.0010499999625608325,false,,false,false,false,,,false,false,,2021-10-08T16:44:22.000Z,0