sql: system.comments is mistakenly writable by all users

[knz]

Description

All users have GRANT, SELECT, INSERT, UPDATE, DELETE on system.comments - because these privileges are granted to the public role and every user has that role.

This makes it possible for a user to modify comments on tables/databases/etc that they have otherwise no privilege over.

Statement

This is a security vulnerability, because it should not be possible for a user to modify comments on tables they don't have privileges over.

This issue was introduced in v19.1.

Note that PostgreSQL compatibility mandates that all users can view comments on all tables, even those they don't have privilege over.

The issue is considered minor and thus may not warrant a technical advisory. It will be corrected in a patch release.

Mitigation

Unclear at this point.

Impact

All deployments from v19.1 to the latest v20.1 beta releases are affected. Vulnerable deployments risk having comments on privileged tables edited by unprivileged users - this is a form of privilege escalation.