Hi On 2019-04-04 21:50:41 +0200, Magnus Hagander wrote: > On Thu, Apr 4, 2019 at 9:45 PM Tom Lane <tgl@xxxxxxxxxxxxx> wrote: > > > Jeremy Schneider <schnjere@xxxxxxxxxx> writes: > > > I'm all for having clear documentation about the security model in > > > PostgreSQL, but I personally wouldn't be in favor of adding extra > > > wording to the docs just to pacify concerns about a CVE which may have > > > been erroneously granted by an assigning authority, who possibly should > > > have done better due diligence reviewing the content. Particularly if > > > there's any possibility that the decision to assign the number can be > > > appealed/changed, though admittedly I know very little about the CVE > > > process. > > > > Just FYI, we have filed a dispute with Mitre about the CVE, and also > > reached out to trustwave to try to find out why they filed the CVE > > despite the earlier private discussion. > > > > The original author has also pretty much acknowledged in comments on his > blog and on twitter that it's not actually a vulnerability. (He doesn't > agree with the design decision, which is apparently enough for a high > scoring CVE registration). Btw, the xp_cmdshell thing the author references several times? It can be enabled via tsql if you have a privileged account. https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/xp-cmdshell-server-configuration-option?view=sql-server-2017 and it allows to execute shell code (as a specified user) even when not a sysadmin: https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017#xp_cmdshell-proxy-account Greetings, Andres Freund
