CVE-2020-25695 - log back

CVE-2020-25695 edited at 12 Nov 2020 16:20:52
- Unknown
+ Sandbox escape
CVE-2020-25695 edited at 12 Nov 2020 16:20:32
- Unknown
+ High
- Unknown
+ Remote
+ A security issue has been found in PostgreSQL before 12.5, where an attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser.
+ While promptly updating PostgreSQL is the best remediation for most users, a user unable to do that can work around the vulnerability by disabling autovacuum and not manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a restore from output of the pg_dump command. Performance may degrade quickly under this workaround. VACUUM without the FULL option is safe, and all commands are fine when a trusted user owns the target object.
CVE-2020-25695 created at 12 Nov 2020 16:16:51