CVE-2020-1720 Overview
CVE-2020-1720 is an authorization bypass vulnerability in PostgreSQL's ALTER ... DEPENDS ON EXTENSION command. Sub-commands processed under this statement fail to perform authorization checks [CWE-862, CWE-285]. An authenticated attacker can abuse this flaw to drop database objects they do not own, including functions and triggers, leading to database corruption.
The vulnerability affects PostgreSQL versions before 12.2, 11.7, 10.12, and 9.6.17. Downstream distributions including Red Hat Enterprise Linux 8, Red Hat Decision Manager 7.0, and Red Hat Software Collections are also impacted.
Critical Impact
Authenticated database users can drop functions, triggers, and other objects they do not own, corrupting database integrity without triggering authorization failures.
Affected Products
- PostgreSQL versions before 12.2, 11.7, 10.12, and 9.6.17
- Red Hat Enterprise Linux 8 and Red Hat Software Collections
- Red Hat Decision Manager 7.0
Discovery Timeline
- 2020-03-17 - CVE-2020-1720 published to the National Vulnerability Database (NVD)
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2020-1720
Vulnerability Analysis
The flaw resides in PostgreSQL's handling of the ALTER ... DEPENDS ON EXTENSION SQL statement. This command marks a database object as dependent on an extension, so the object is dropped when the extension is dropped. PostgreSQL processes the dependency change through internal sub-commands that act on the target object.
Those sub-commands omit the authorization checks normally enforced on direct ALTER and DROP operations. As a result, an authenticated user with the ability to invoke the dependency statement can register dependencies that lead to the deletion of objects they do not own. The integrity impact is high, while confidentiality and availability are not directly affected per the CVSS vector.
Root Cause
The root cause is missing authorization enforcement [CWE-862] within the sub-command path invoked by ALTER ... DEPENDS ON EXTENSION. PostgreSQL's standard permission model requires object ownership or explicit privileges to alter or drop catalog objects such as functions and triggers. The dependency code path bypasses those checks, breaking the privilege model [CWE-285].
Attack Vector
Exploitation requires an authenticated PostgreSQL session with the ability to execute ALTER ... DEPENDS ON EXTENSION against a target object. The attack proceeds over the network through a normal database connection and does not require user interaction. An attacker uses the statement to bind a victim-owned object to an extension, then drops or manipulates the extension to remove the dependent object. Successful exploitation results in database corruption through the unauthorized removal of functions, triggers, or related objects.
No public proof-of-concept exploit is recorded for this issue, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Red Hat Bugzilla CVE-2020-1720 entry for vendor analysis.
Detection Methods for CVE-2020-1720
Indicators of Compromise
- Unexpected DROP FUNCTION, DROP TRIGGER, or similar object removal events in PostgreSQL logs without a corresponding authorized administrator session.
- Audit entries showing ALTER ... DEPENDS ON EXTENSION issued by non-privileged roles against objects they do not own.
- Catalog inconsistencies where extensions reference objects owned by multiple unrelated roles.
Detection Strategies
- Enable PostgreSQL statement logging with log_statement = 'ddl' to capture every ALTER and DROP event, then alert on dependency changes issued by non-superuser roles.
- Deploy the pgaudit extension to record object-level DDL activity with attribution to the executing role.
- Correlate database audit logs with endpoint and network telemetry in a centralized SIEM to identify abnormal DDL patterns originating from application service accounts.
Monitoring Recommendations
- Monitor PostgreSQL server version reporting and flag instances running releases earlier than 12.2, 11.7, 10.12, or 9.6.17.
- Track creation and modification of extension dependencies in pg_depend for unexpected role activity.
- Alert on privilege-sensitive SQL keywords (ALTER, DEPENDS ON EXTENSION, DROP EXTENSION) executed by application or low-privilege accounts.
How to Mitigate CVE-2020-1720
Immediate Actions Required
- Upgrade PostgreSQL to version 12.2, 11.7, 10.12, 9.6.17, or later on every affected instance.
- Apply vendor updates from Red Hat for Enterprise Linux 8, Software Collections, and Decision Manager 7.0 where applicable.
- Audit existing pg_depend entries and revoke unnecessary roles from databases that host sensitive extensions.
- Restrict the ability to create or alter extensions to trusted administrative roles only.
Patch Information
PostgreSQL fixed the issue in versions 12.2, 11.7, 10.12, and 9.6.17. Review the PostgreSQL News Release for upstream release notes and the openSUSE Security Announcement for distribution-specific package updates. Red Hat customers should consult the Red Hat Bugzilla CVE-2020-1720 advisory for errata details.
Workarounds
- Limit database login privileges so untrusted users cannot issue ALTER ... DEPENDS ON EXTENSION against shared objects.
- Separate application schemas and extensions across distinct roles to constrain the blast radius of dependency-based object drops.
- Take regular logical and physical backups so any corruption caused by unauthorized object drops can be reverted quickly.
# Verify PostgreSQL version and apply patched release
psql -U postgres -c "SHOW server_version;"
# Example: upgrade on RHEL 8 via dnf
sudo dnf update postgresql postgresql-server
# Enable DDL logging in postgresql.conf
# log_statement = 'ddl'
# log_line_prefix = '%m [%p] %q%u@%d '
sudo systemctl restart postgresql
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
