Overview
pghoard (https://github.com/Aiven-Open/pghoard) is a PostgreSQL backup daemon and restore tool that stores backup data in cloud object stores.
On December 12th, 2024, Aiven detected a security event caused by a vulnerability in pghoard. This event was triggered by a security researcher participating in our bug bounty program (https://bugcrowd.com/engagements/aiven-mbb-og) . The pghoard package vulnerability could allow an attacker to perform disk operations at the privilege level of pghoard, allowing for unintended path traversal. Depending on the privileges assigned to pghoard, this could allow disclosure of sensitive, on-disk, information.
This affects pghoard tags at 2.6.0 and prior. Tags of 2.6.1-rc onward are not affected.
Details on the CVE will be linked/published when the CVE submission has been reviewed and confirmed. As it stands Aiven has this rated as a 4.8 (Moderate) according to CVSS 4.0.
Updated (2024-12-19): Related CVE has been issued: https://nvd.nist.gov/vuln/detail/CVE-2024-56142
Is Aiven Affected?
Aiven’s platform has been fully patched and the issue has been remediated.
Recommendation
Aiven recommends that anyone running pghoard tag 2.6.0 or prior upgrade to 2.6.1-rc or newer.
References
pghoard: https://github.com/Aiven-Open/pghoard
GitHub Advisory: https://github.com/Aiven-Open/pghoard/security/advisories/GHSA-m9hc-vxjj-4x6q
Aiven Bug Bounty: https://bugcrowd.com/engagements/aiven-mbb-og
CVE: https://nvd.nist.gov/vuln/detail/CVE-2024-56142