Security vulnerability: Attackers can attack PostgreSQL databases
A security patch closes a malicious code gap in the PostgreSQL database management system.
(Image: AFANASEV IVAN/Shutterstock.com)
Database admins should promptly update their PostgreSQL instances to the latest version. If this is not done, attackers can attack servers and execute their own commands.
SQL injection
According to a report, security researchers have discovered another vulnerability (CVE-2025-1094"high") in the context of a security gap (CVE-2024-12356"critical") in the remote access software Privileged Remote Access (PRA) and Remote Support (RS) from BeyondTrust.
The security updates for PRA and RS, which have been available for some time, block the exploitation of both vulnerabilities. However, the researchers state that the second vulnerability also threatens PostgreSQL. The PostgreSQL developers have now also confirmed this in a warning message.
The vulnerability is found in several libpq functions. Inputs are not sufficiently sanitized, allowing attackers to execute their own SQL commands. Due to the threat level classification, it can be assumed that attackers can use it to compromise systems.
Videos by heise
The developers assure that they have closed the gap in versions 13.19, 14.16, 15.11, 16.7 and 17.3 . All previous versions are vulnerable. So far there are no reports of attacks that have already taken place.
(des)
