CVE-2020-1720: High severity ibm data risk manager vulnerability

Published Feb 6, 2020
·
Updated

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption.

Other sources

PostgreSQL could allow a remote authenticated attacker to bypass security restrictions, caused by improper authorization validation by the ALTER … DEPENDS ON EXTENSION sub-commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to drop any function, procedure, materialized view, index, or trigger under certain conditions.

IBM

The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform authorization checks. If one of the following prerequisites holds, an unprivileged user can exploit this to drop any function, procedure, materialized view, index, or trigger. The attack is possible if an administrator has installed an extension that unprivileged users can CREATE. The attack is also possible if an extension owner issues DROP EXTENSION predictably or can be convinced to issue DROP EXTENSION.

Red Hat

Affected Software

15 affected componentsFixes available
redhat/rh-postgresql10-postgresql<0:10.12-2.el7
0:10.12-2.el7
redhat/rh-postgresql96-postgresql<0:9.6.19-1.el7
0:9.6.19-1.el7
redhat/rh-postgresql12-postgresql<0:12.4-1.el7
0:12.4-1.el7
redhat/PostgreSQL<12.2
12.2
redhat/PostgreSQL<11.7
11.7
redhat/PostgreSQL<10.12
10.12
redhat/PostgreSQL<9.6.17
9.6.17
IBM Data Risk Manager<=2.0.6
PostgreSQL postgresql>=9.6<9.6.17
PostgreSQL postgresql>=10.0<10.12
PostgreSQL postgresql>=11.0<11.7
PostgreSQL postgresql>=12.0<12.2
redhat Decision Manager=7.0
redhat Software Collections
redhat Enterprise Linux=8.0

Remediation

Patch Available

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720

Event History

Feb 13, 2020
CVE Published
12:00 AM
Mar 17, 2020
CVE Published
via MITRE·03:28 PM
Data Sourced
via MITRE·03:28 PM
DescriptionSeverityWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-1720?

CVE-2020-1720 is a vulnerability found in PostgreSQL's ALTER ... DEPENDS ON EXTENSION sub-commands that allows an authenticated attacker to perform unauthorized drop objects leading to database corruption.

2

How severe is CVE-2020-1720?

CVE-2020-1720 is considered a high severity vulnerability with a severity score of 8.1 out of 10.

3

Which versions of PostgreSQL are affected by CVE-2020-1720?

Versions 12.2, 11.7, 10.12, and 9.6.17 of PostgreSQL are affected by CVE-2020-1720.

4

How can an attacker exploit CVE-2020-1720?

An authenticated attacker can exploit CVE-2020-1720 in certain configurations by using the ALTER ... DEPENDS ON EXTENSION command to drop objects such as functions and triggers, leading to database corruption.

5

What is the remedy for CVE-2020-1720?

To fix CVE-2020-1720, you should upgrade to PostgreSQL versions 12.3, 11.9, 10.15, or 9.6.20, depending on the affected version.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203