PostgreSQL COPY TO/FROM PROGRAM Authenticated Remote Code Execution (CVE-2019-9193)
Overview
PostgreSQL COPY TO/FROM PROGRAM Authenticated Remote Code Execution, tracked as CVE-2019-9193, concerns the COPY TO/FROM PROGRAM capability in PostgreSQL. PostgreSQL is a widely used relational database system, and command execution through the database server context can have serious operational impact when privileged database access is exposed or misused.
Vulnerability Overview
CVE-2019-9193 describes abuse of PostgreSQL's COPY TO/FROM PROGRAM functionality, which can run operating system commands in the context of the database server user. NVD lists the affected range as PostgreSQL 9.3 through 11.2 and assigns the issue to command injection.
This case is more nuanced than a typical product vulnerability. PostgreSQL documentation states that COPY with a file or command is restricted to database superusers, and later versions also document dedicated roles such as pg_execute_server_program. PostgreSQL community commentary argues that this is intended privileged behavior, not an unexpected bug in PostgreSQL itself.
Impact
CVE-2019-9193 has a CVSS 3.0 score of 7.2 and is rated High in NVD. The score reflects network reachability, low attack complexity, high privileges required, no user interaction, and high confidentiality, integrity, and availability impact.
If an attacker obtains a PostgreSQL superuser account or an account with the relevant server-program execution privilege, they may be able to run commands as the operating system user that owns the PostgreSQL server process. That can expose database files, application secrets, local filesystem content accessible to the database user, or paths to further compromise.
Vulnerability Scope
NVD lists PostgreSQL 9.3 through 11.2 as affected by CVE-2019-9193. The practical scope depends less on a default unauthenticated bug and more on whether highly privileged database accounts are reachable, misconfigured, shared with applications, or exposed remotely.
Defensive review should focus on whether applications use database superuser accounts, whether roles such as pg_execute_server_program are granted unnecessarily, and whether pg_hba.conf or network controls allow privileged database users to connect from untrusted locations.
Lab Focus
This lab focuses on understanding how powerful database administration features can become remote code execution paths when privileged access is exposed. The goal is to practice evaluating database role boundaries, management-plane exposure, and the difference between an unauthenticated RCE bug and abuse of intentionally privileged functionality.