之前没有特别注意这个漏洞,这里稍微记一笔。
PostgreSQL 包含一系列系统视图,这些系统视图可以用来查询系统表。
由于 pg_stats_ext
和 pg_stats_ext_exprs
这两个视图在 PostgreSQL 14-16 的 16.3、15.7 和 14.12 之前的版本中缺少了必要的访问控制,
因此未经授权的用户将可以通过这些视图访问其他用户通过 CREATE...
PostgreSQL 14-16 versions have a vulnerability where unauthorized users can access statistics data created by other users. This issue has been fixed in versions 16.3, 15.7, and 14.12. Administrators of existing databases must rebuild system views to tighten access permissions. The fix script is available in the source code. This vulnerability is significant if fine-grained access control is implemented. Administrators should be concerned about more serious issues if the application does not implement proper role-based user access to the database.