pkg:Bitnami/postgresql

所有已知漏洞

• CRITICAL9.8CVE-2024-24213Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query.
  >= 15.1.0, <= 15.1.0
• HIGH8.8CVE-2026-6638PostgreSQL REFRESH PUBLICATION allows SQL injection via table name
  >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH8.8CVE-2026-6637PostgreSQL refint allows stack buffer overflow and SQL injection
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH8.8CVE-2026-6477PostgreSQL libpq lo_* functions let server superuser overwrite client stack memory
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH8.8CVE-2026-6475PostgreSQL pg_basebackup and pg_rewind can overwrite unrelated files of origin superuser choice
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH8.8CVE-2026-6473PostgreSQL server undersizes allocations, via integer wraparound
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH8.8CVE-2026-2006PostgreSQL missing validation of multibyte character length executes arbitrary code
  from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
• HIGH8.8CVE-2026-2005PostgreSQL pgcrypto heap buffer overflow executes arbitrary code
  from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
• HIGH8.8CVE-2026-2004PostgreSQL intarray missing validation of type of input to selectivity estimator executes arbitrary code
  from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
• HIGH8.8CVE-2025-8715PostgreSQL pg_dump newline in object name executes arbitrary code in psql client and in restore target server
  >= 11.20.0, < 13.22.0, >= 14.0.0, < 14.19.0, >= 15.0.0, < 15.14.0, >= 16.0.0, < 16.10.0, >= 17.0.0, < 17.6.0
• HIGH8.8CVE-2025-8714PostgreSQL pg_dump lets superuser of origin server execute arbitrary code in psql client
  from 0, < 13.22.0, >= 14.0.0, < 14.19.0, >= 15.0.0, < 15.14.0, >= 16.0.0, < 16.10.0, >= 17.0.0, < 17.6.0
• HIGH8.8CVE-2024-10979PostgreSQL PL/Perl environment variable changes execute arbitrary code
  from 0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• HIGH8.8CVE-2023-5869Postgresql: buffer overrun from integer overflow in array modification
  >= 11.0.0, < 11.22.0, >= 12.0.0, < 12.17.0, >= 13.0.0, < 13.13.0, >= 14.0.0, < 14.10.0, >= 15.0.0, < 15.5.0, >= 16.0.0, < 16.0.1
• HIGH8.8CVE-2023-39417Postgresql: extension script @substitutions@ within quoting allow sql injection
  >= 11.0.0, < 11.21.0, >= 12.0.0, < 12.16.0, >= 13.0.0, < 13.12.0, >= 14.0.0, < 14.9.0, >= 15.0.0, < 15.4.0
• HIGH8.8CVE-2022-1552postgresql-13 - security update
  >= 10.0.0, < 10.21.0, >= 11.0.0, < 11.16.0, >= 12.0.0, < 12.11.0, >= 13.0.0, < 13.7.0, >= 14.0.0, < 14.3.0
• HIGH8.8CVE-2021-32027postgresql-11 - security update
  >= 9.6.0, < 9.6.22, >= 10.0.0, < 10.17.0, >= 11.0.0, < 11.12.0, >= 12.0.0, < 12.7.0, >= 13.0.0, < 13.3.0
• HIGH8.8CVE-2020-25695A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24.
  from 0, < 9.5.24, >= 9.6.0, < 9.6.20, >= 10.0.0, < 10.15.0, >= 11.0.0, < 11.10.0, >= 12.0.0, < 12.5.0, >= 13.0.0, < 13.1.0
• HIGH8.2CVE-2026-2007PostgreSQL pg_trgm heap buffer overflow writes pattern onto server memory
  >= 18.0.0, < 18.2.0
• HIGH8.1CVE-2025-1094PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation
  from 0, < 13.19.0, >= 14.0.0, < 14.16.0, >= 15.0.0, < 15.11.0, >= 16.0.0, < 16.7.0, >= 17.0.0, < 17.3.0
• HIGH8.1CVE-2021-23214postgresql-13 - security update
  from 0, < 9.6.24, >= 10.0.0, < 10.19.0, >= 11.0.0, < 11.14.0, >= 12.0.0, < 12.9.0, >= 13.0.0, < 13.5.0, >= 14.0.0, < 14.0.1
• HIGH8.1CVE-2020-25694postgresql-9.6 - security update
  from 0, < 9.5.24, >= 9.6.0, < 9.6.20, >= 10.0.0, < 10.15.0, >= 11.0.0, < 11.10.0, >= 12.0.0, < 12.5.0, >= 13.0.0, < 13.1.0
• HIGH8.0CVE-2024-0985PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
  >= 12.0.0, < 12.18.0, >= 13.0.0, < 13.14.0, >= 14.0.0, < 14.11.0, >= 15.0.0, < 15.6.0
• HIGH8.0CVE-2022-2625postgresql-11 - security update
  >= 10.0.0, < 10.22.0, >= 11.0.0, < 11.17.0, >= 12.0.0, < 12.12.0, >= 13.0.0, < 13.8.0, >= 14.0.0, < 14.5.0
• HIGH7.5CVE-2026-6479PostgreSQL SSL/GSS init causes denial of service, via uncontrolled recursion
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH7.5CVE-2024-7348PostgreSQL relation replacement during pg_dump executes arbitrary SQL
  from 0, < 12.20.0, >= 13.0.0, < 13.16.0, >= 14.0.0, < 14.13.0, >= 15.0.0, < 15.8.0, >= 16.0.0, < 16.4.0
• HIGH7.5CVE-2020-25696A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.…
  >= 9.5.0, < 9.5.24, >= 9.6.0, < 9.6.20, >= 10.0.0, < 10.15.0, >= 11.0.0, < 11.10.0, >= 12.0.0, < 12.5.0, >= 13.0.0, < 13.1.0
• HIGH7.3CVE-2020-10733The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths.
  >= 9.5.0, < 9.5.22, >= 9.6.0, < 9.6.18, >= 10.0.0, < 10.13.0, >= 11.0.0, < 11.8.0, >= 12.0.0, < 12.3.0
• HIGH7.3CVE-2020-14350postgresql-9.6 - security update
  >= 9.5.0, < 9.5.23, >= 9.6.0, < 9.6.19, >= 10.0.0, < 10.14.0, >= 11.0.0, < 11.9.0, >= 12.0.0, < 12.4.0
• HIGH7.2CVE-2026-6476PostgreSQL pg_createsubscriber allows SQL injection via subscription name
  >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• HIGH7.2CVE-2023-2454postgresql-13 - security update
  >= 11.0.0, < 11.20.0, >= 12.0.0, < 12.15.0, >= 13.0.0, < 13.11.0, >= 14.0.0, < 14.8.0, >= 15.0.0, < 15.3.0
• HIGH7.1CVE-2020-14349It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical re…
  >= 10.0.0, < 10.14.0, >= 11.0.0, < 11.9.0, >= 12.0.0, < 12.4.0
• MEDIUM6.5CVE-2026-6478PostgreSQL discloses MD5-hashed passwords via covert timing channel
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• MEDIUM6.5CVE-2021-3677A flaw was found in postgresql.
  >= 11.0.0, < 11.13.0, >= 12.0.0, < 12.8.0, >= 13.0.0, < 13.4.0
• MEDIUM6.5CVE-2021-32028A flaw was found in postgresql.
  >= 9.6.0, < 9.6.22, >= 10.0.0, < 10.17.0, >= 11.0.0, < 11.12.0, >= 12.0.0, < 12.7.0, >= 13.0.0, < 13.3.0
• MEDIUM6.5CVE-2021-32029A flaw was found in postgresql.
  >= 11.0.0, < 11.12.0, >= 12.0.0, < 12.7.0, >= 13.0.0, < 13.3.0
• MEDIUM6.5CVE-2020-1720postgresql-11 - security update
  >= 9.6.0, < 9.6.17, >= 10.0.0, < 10.12.0, >= 11.0.0, < 11.7.0, >= 12.0.0, < 12.2.0
• MEDIUM5.9CVE-2025-12818PostgreSQL libpq undersizes allocations, via integer wraparound
  from 0, < 13.23.0, >= 14.0.0, < 14.20.0, >= 15.0.0, < 15.15.0, >= 16.0.0, < 16.11.0, >= 17.0.0, < 17.7.0, >= 18.0.0, < 18.1.0
• MEDIUM5.9CVE-2025-4207PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation
  from 0, < 13.21.0, >= 14.0.0, < 14.18.0, >= 15.0.0, < 15.13.0, >= 16.0.0, < 16.9.0, >= 17.0.0, < 17.5.0
• MEDIUM5.9CVE-2021-43767Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'tr…
  >= 9.6.0, < 9.6.24, >= 10.0.0, < 10.19.0, >= 11.0.0, < 11.14.0, >= 12.0.0, < 12.9.0, >= 13.0.0, < 13.5.0, >= 14.0.0, < 14.0.1
• MEDIUM5.9CVE-2021-23222A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification…
  >= 9.6.0, < 9.6.24, >= 10.0.0, < 10.19.0, >= 11.0.0, < 11.14.0, >= 12.0.0, < 12.9.0, >= 13.0.0, < 13.5.0, >= 14.0.0, < 14.0.1
• MEDIUM5.4CVE-2026-6472PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• MEDIUM5.4CVE-2024-10976PostgreSQL row security below e.g. subqueries disregards user ID changes
  from 0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• MEDIUM5.4CVE-2023-2455Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases w…
  >= 11.0.0, < 11.20.0, >= 12.0.0, < 12.15.0, >= 13.0.0, < 13.11.0, >= 14.0.0, < 14.8.0, >= 15.0.0, < 15.3.0
• MEDIUM4.4CVE-2020-21469An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals.
  >= 12.2.0, < 12.2.1
• MEDIUM4.4CVE-2023-5870Postgresql: role pg_signal_backend can signal certain superuser processes.
  >= 11.0.0, < 11.22.0, >= 12.0.0, < 12.17.0, >= 13.0.0, < 13.13.0, >= 14.0.0, < 14.10.0, >= 15.0.0, < 15.5.0, >= 16.0.0, < 16.0.1
• MEDIUM4.3CVE-2026-6575PostgreSQL pg_restore_attribute_stats accepts values that cause query planning to read past end of stats array
  >= 18.0.0, < 18.4.0
• MEDIUM4.3CVE-2026-6474PostgreSQL timeofday() can disclose portions of server memory
  from 0, < 14.23.0, >= 15.0.0, < 15.18.0, >= 16.0.0, < 16.14.0, >= 17.0.0, < 17.10.0, >= 18.0.0, < 18.4.0
• MEDIUM4.3CVE-2026-2003PostgreSQL oidvector discloses a few bytes of memory
  from 0, < 14.21.0, >= 15.0.0, < 15.16.0, >= 16.0.0, < 16.12.0, >= 17.0.0, < 17.8.0, >= 18.0.0, < 18.2.0
• MEDIUM4.3CVE-2024-4317PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks
  >= 14.0.0, < 14.12.0, >= 15.0.0, < 15.7.0, >= 16.0.0, < 16.3.0
• MEDIUM4.3CVE-2023-5868Postgresql: memory disclosure in aggregate function calls
  >= 11.0.0, < 11.22.0, >= 12.0.0, < 12.17.0, >= 13.0.0, < 13.13.0, >= 14.0.0, < 14.10.0, >= 15.0.0, < 15.5.0, >= 16.0.0, < 16.0.1
• MEDIUM4.3CVE-2023-39418Postgresql: merge fails to enforce update or select row security policies
  >= 15.0.0, < 15.4.0
• MEDIUM4.3CVE-2021-3393An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11.
  from 0, < 11.11.0, >= 12.0.0, < 12.6.0, >= 13.0.0, < 13.2.0
• MEDIUM4.3CVE-2021-20229A flaw was found in PostgreSQL in versions before 13.2.
  >= 13.0.0, < 13.2.0
• MEDIUM4.2CVE-2024-10978PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID
  from 0, < 12.21.0, >= 13.0.0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• LOW3.7CVE-2024-10977PostgreSQL libpq retains an error message from man-in-the-middle
  from 0, < 12.21.0, >= 13.0.0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• LOW3.7CVE-2022-41862In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption.
  >= 12.0.0, < 12.14.0, >= 13.0.0, < 13.10.0, >= 14.0.0, < 14.7.0, >= 15.0.0, < 15.2.0
• LOW3.1CVE-2025-12817PostgreSQL CREATE STATISTICS does not check for schema CREATE privilege
  from 0, < 13.23.0, >= 14.0.0, < 14.20.0, >= 15.0.0, < 15.15.0, >= 16.0.0, < 16.11.0, >= 17.0.0, < 17.7.0, >= 18.0.0, < 18.1.0
• LOW3.1CVE-2025-8713PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table
  from 0, < 13.22.0, >= 14.0.0, < 14.19.0, >= 15.0.0, < 15.14.0, >= 16.0.0, < 16.10.0, >= 17.0.0, < 17.6.0