On Monday, November 13, 2023, Tom Lane <
tgl@sss.pgh.pa.us> wrote:
PG Bug reporting form <noreply@postgresql.org> writes:
> Just wanted to give an update, I'm not sure if it's mentioned anywhere on
> the website. The PostgreSQl version 13.7 is also vuln to the
> CVE-2019-9193.
> The CVE states only In PostgreSQL 9.3 through 11.2.
Please see
https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/
That CVE is erroneous in full, and so the fact that it also misstates
relevant versions is hardly surprising.
It’s hardly surprising because a CVE from 2019 (they make this fairly simple, the year is in the assigned number) would not be expected to list version 13 as that was not released at the time. Assuming 11.2 was indeed the most recent version released at the time the CVE was issued then indeed neither v12 nor v13 were relevant as v11 was only about 6 months old.
David J.
