{"api_version":"1","generated_at":"2026-04-22T23:21:38+00:00","cve":"CVE-2020-1720","urls":{"html":"https://cve.report/CVE-2020-1720","api":"https://cve.report/api/cve/CVE-2020-1720.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2020-1720","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2020-1720"},"summary":{"title":"CVE-2020-1720","description":"A flaw was found in PostgreSQL's \"ALTER ... DEPENDS ON EXTENSION\", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2020-03-17 16:15:00","updated_at":"2023-11-07 03:19:00"},"problem_types":["CWE-862"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720","refsource":"CONFIRM","tags":["Issue Tracking","Patch","Third Party Advisory"],"title":"1798852 – (CVE-2020-1720) CVE-2020-1720 postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.postgresql.org/about/news/2011/","name":"https://www.postgresql.org/about/news/2011/","refsource":"MISC","tags":["Release Notes","Vendor Advisory"],"title":"PostgreSQL: PostgreSQL 12.2, 11.7, 10.12, 9.6.17, 9.5.21, and 9.4.26 Released!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html","name":"openSUSE-SU-2020:1227","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1227-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2020-1720","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2020-1720","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"decision_manager","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"decision_manager","cpe6":"7.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"redhat","cpe5":"enterprise_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"software_collections","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2020","cve_id":"1720","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"software_collections","cpe6":"-","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2020-1720","qid":"159270","title":"Oracle Enterprise Linux Security Update for rh-postgresql10-postgresql (ELSA-2021-9290)"},{"cve":"CVE-2020-1720","qid":"377113","title":"Alibaba Cloud Linux Security Update for postgresql:12 (ALINUX3-SA-2021:0017)"},{"cve":"CVE-2020-1720","qid":"500538","title":"Alpine Linux Security Update for postgresql"},{"cve":"CVE-2020-1720","qid":"502006","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2020-1720","qid":"502160","title":"Alpine Linux Security Update for postgresql12"},{"cve":"CVE-2020-1720","qid":"502772","title":"Alpine Linux Security Update for postgresql15"},{"cve":"CVE-2020-1720","qid":"504305","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2020-1720","qid":"900047","title":"CBL-Mariner Linux Security Update for postgresql 12.1"},{"cve":"CVE-2020-1720","qid":"903369","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (1892)"},{"cve":"CVE-2020-1720","qid":"940130","title":"AlmaLinux Security Update for postgresql:12 (ALSA-2020:5620)"},{"cve":"CVE-2020-1720","qid":"940299","title":"AlmaLinux Security Update for postgresql:9.6 (ALSA-2020:5619)"},{"cve":"CVE-2020-1720","qid":"960242","title":"Rocky Linux Security Update for postgresql:12 (RLSA-2020:5620)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2020-1720","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Red Hat","product":{"product_data":[{"product_name":"postgresql","version":{"version_data":[{"version_value":"12.2"},{"version_value":"11.7"},{"version_value":"10.12"},{"version_value":"9.6.17"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-285"}]}]},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720","refsource":"CONFIRM"},{"url":"https://www.postgresql.org/about/news/2011/","name":"https://www.postgresql.org/about/news/2011/","refsource":"MISC"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1227","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in PostgreSQL's \"ALTER ... DEPENDS ON EXTENSION\", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17."}]},"impact":{"cvss":[[{"vectorString":"3.1/CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.0"}]]}},"nvd":{"publishedDate":"2020-03-17 16:15:00","lastModifiedDate":"2023-11-07 03:19:00","problem_types":["CWE-862"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:M/Au:S/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"MEDIUM","authentication":"SINGLE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":3.5},"severity":"LOW","exploitabilityScore":6.8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0","versionEndExcluding":"12.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0","versionEndExcluding":"11.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0","versionEndExcluding":"10.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"9.6","versionEndExcluding":"9.6.17","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:decision_manager:7.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2020","CveId":"1720","Ordinal":"160958","Title":"CVE-2020-1720","CVE":"CVE-2020-1720","Year":"2020"},"notes":[{"CveYear":"2020","CveId":"1720","Ordinal":"1","NoteData":"A flaw was found in PostgreSQL's \"ALTER ... DEPENDS ON EXTENSION\", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.","Type":"Description","Title":null},{"CveYear":"2020","CveId":"1720","Ordinal":"2","NoteData":"2020-03-17","Type":"Other","Title":"Published"},{"CveYear":"2020","CveId":"1720","Ordinal":"3","NoteData":"2020-08-17","Type":"Other","Title":"Modified"}]}}}