Description
CloudNativePG (CNPG) sets role passwords by interpolating the cleartext value into a utility statement (ALTER ROLE "x" WITH PASSWORD '') and executing it. Utility statements are not parameterised, so the literal is captured by pg_stat_statements when pg_stat_statements.track_utility is on. In a deployment shape where a tenant-facing role can read those statistics, the tenant can recover the platform-managed superuser and application-owner passwords from pg_stat_statements on every rotation, reconnect as the superuser, and — where superuser TCP access is enabled — reach OS command execution inside the database pod via COPY … PROGRAM. The earlier mitigation in PR #9950 suppressed log_statement / log_min_error_statement only. pg_stat_statements is a separate subsystem and was not addressed by that change.
Vulnerability Information
- Product / Framework: CloudNative PostgreSQL
- Vendor Domain: cloudnative-pg.io
- Vulnerability Type: Misconfiguration
- CVE Details: View Full CVE Details →