Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-9193

EPSS 93.48% · P100
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2019-9193

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Description
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
PostgreSQL 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PostgreSQL是PostgreSQL组织的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性,例如外键、触发器、视图等。 PostgreSQL 9.3至11.2版本中的导入导出数据命令‘COPY TO/FROM PROGRAM’存在操作系统命令注入漏洞。攻击者可利用该漏洞获取数据库超级用户权限,从而执行任意系统命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
-n/a n/a -

II. Public POCs for CVE-2019-9193

#POC DescriptionSource LinkShenlong Link
1PostgreSQL Remote Code Executuonhttps://github.com/wkjung0624/cve-2019-9193POC Details
2CVE-2019–9193 - PostgreSQL 9.3-12.3 Authenticated Remote Code Executionhttps://github.com/b4keSn4ke/CVE-2019-9193POC Details
3PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) https://github.com/chromanite/CVE-2019-9193-PostgreSQL-9.3-11.7POC Details
4Nonehttps://github.com/paulotrindadec/CVE-2019-9193POC Details
5is a PoC tool designed to exploit an authenticated Remote Code Execution (RCE) vulnerability in specific versions of PostgreSQL (9.3 - 11.7)https://github.com/geniuszlyy/CVE-2019-9193POC Details
6PoC tool designed to exploit an authenticated Remote Code Execution (RCE) vulnerability in certain versions of PostgreSQL (9.3 - 11.7)https://github.com/AxthonyV/CVE-2019-9193POC Details
7Nonehttps://github.com/A0be/CVE-2019-9193POC Details
8is a PoC tool designed to exploit an authenticated Remote Code Execution (RCE) vulnerability in specific versions of PostgreSQL (9.3 - 11.7)https://github.com/geniuszly/CVE-2019-9193POC Details
9Nonehttps://github.com/corsisechero/CVE-2019-9193byVulHubPOC Details
10In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’. https://github.com/projectdiscovery/nuclei-templates/blob/main/javascript/cves/2019/CVE-2019-9193.yamlPOC Details
11Nonehttps://github.com/Threekiii/Awesome-POC/blob/master/%E6%95%B0%E6%8D%AE%E5%BA%93%E6%BC%8F%E6%B4%9E/PostgreSQL%20%E9%AB%98%E6%9D%83%E9%99%90%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2019-9193.mdPOC Details
12https://github.com/vulhub/vulhub/blob/master/postgres/CVE-2019-9193/README.mdPOC Details
13PoC tool designed to exploit an authenticated Remote Code Execution (RCE) vulnerability in certain versions of PostgreSQL (9.3 - 11.7)https://github.com/jhnhnck/CVE-2019-9193POC Details
14This lab simulates CVE-2019-9193 - PostgreSQL COPY FROM PROGRAM RCEhttps://github.com/netw0rk7/CVE-2019-9193-Home-LabPOC Details
15Nonehttps://github.com/Cheryanika/CVE-2019-9193---Postgresql---RCEPOC Details
16Nonehttps://github.com/CybersRMUTL/CVE-2019-9193-Postgresql-RCEPOC Details
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2019-9193

登录查看更多情报信息。

Same Patch Batch · n/a · 2019-04-01 · 15 CVEs total

CVE-2018-17990D-Link DSL-3782 操作系统命令注入漏洞
CVE-2018-17565Grandstream GXP16xx VoIP 操作系统命令注入漏洞
CVE-2018-17564Grandstream GXP16xx VoIP 输入验证错误漏洞
CVE-2018-17563Grandstream GXP16xx VoIP 输入验证错误漏洞
CVE-2018-17989D-Link DSL-3782 跨站脚本漏洞
CVE-2018-19113Pronestor PNHM add-in 权限许可和访问控制问题漏洞
CVE-2019-6715WordPress W3 Total Cache插件信息泄露漏洞
CVE-2019-10686Ctrip Apollo 安全漏洞
CVE-2018-5757AudioCodes 450HD IP Phone 操作系统命令注入漏洞
CVE-2019-10684迅易科技 74cms 代码注入漏洞
CVE-2019-5891OverIT Geocall 访问控制错误漏洞
CVE-2019-5890OverIT Geocall 授权问题漏洞
CVE-2019-5889OverIT Geocall 路径遍历漏洞
CVE-2019-5888OverIT Geocall 跨站脚本漏洞

IV. Related Vulnerabilities

Same product: n/a
Same vendor: n/a

V. Comments for CVE-2019-9193

No comments yet

Leave a comment