{"id":"AZL-66306","summary":"CVE-2025-8715 affecting package postgresql for versions less than 16.10-1","details":"Improper neutralization of newlines in pg_dump in PostgreSQL allows a user of the origin server to inject arbitrary code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands inside a purpose-crafted object name.  The same attacks can achieve SQL injection as a superuser of the restore target server.  pg_dumpall, pg_restore, and pg_upgrade are also affected.  Versions before PostgreSQL 17.6, 16.10, 15.14, 14.19, and 13.22 are affected.  Versions before 11.20 are unaffected.  CVE-2012-0868 had fixed this class of problem, but version 11.20 reintroduced it.","modified":"2026-04-01T05:20:56.735556Z","published":"2025-08-14T13:15:37Z","upstream":["CVE-2025-8715"],"references":[{"type":"WEB","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-8715"}],"affected":[{"package":{"name":"postgresql","ecosystem":"Azure Linux:3","purl":"pkg:rpm/azure-linux/postgresql"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"16.10-1"}]}],"database_specific":{"source":"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66306.json"}}],"schema_version":"1.7.5"}