CVE-2020-25695: 
PostgreSQL vulnerability analysis and mitigation

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser (NVD, PostgreSQL Security).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 8.8 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability allows an attacker with permissions to create non-temporary objects in at least one schema to escape the PostgreSQL security restricted operation sandbox (NVD, Debian Advisory).

The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. A successful exploit could allow an attacker to execute arbitrary SQL functions with superuser privileges, potentially leading to complete system compromise (NVD, NetApp Advisory).

While promptly updating PostgreSQL to the fixed versions (13.1, 12.5, 11.10, 10.15, 9.6.20, or 9.5.24) is the best remediation, a temporary workaround exists. Users unable to update immediately can disable autovacuum and avoid manually running ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or restore from pgdump output. However, performance may degrade quickly under this workaround ([Red Hat Bugzilla](https://bugzilla.redhat.com/showbug.cgi?id=1894425)).

The vulnerability was discovered and reported by Etienne Stalmans. Multiple vendors and distributions responded by releasing security advisories and patches, including Red Hat, Debian, Ubuntu, and NetApp (Debian Advisory, NetApp Advisory).