CVE-2020-25695 log

Severity High
Remote Yes
Type Sandbox escape
A security issue has been found in PostgreSQL before 12.5, where an attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.
While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.
Group Package Affected Fixed Severity Status Ticket
AVG-1276 postgresql 12.4-2 12.5-1 High Fixed
Date Advisory Group Package Severity Type
17 Nov 2020 ASA-202011-14 AVG-1276 postgresql High multiple issues