Published Wed, Apr 19th, 2023


ApsaraDB and AnalyticDB contained several vulnerabilities in their PostgreSQL offerings which ultimately allowed unauthorized access to other tenants' databases and the ability to perform a supply-chain attack on both services, which in turn would have allowed remote code execution (RCE) as well. Both services implemented multi-tenancy through a shared K8s cluster, but contained several bugs related to tenant isolation which an attacker could chain together to achieve the above impact. In ApsaraDB, these included privilege escalation to root in a container, a shared PID namespace enabling container escape, and write permissions granted to K8s nodes for a private container image registry utilized by both services. In AnalyticDB, the bugs included file disclosure, command line injection in a privileged container, and susceptibility to the core_pattern container escape technique.

Affected Services

ApsaraDB RDS for PostgreSQL, AnalyticDB for PostgreSQL


None required

Tracked CVEs

No tracked CVEs


Disclosure Date
Sun, Dec 4th, 2022
Exploitablity Period
Known ITW Exploitation
Detection Methods
Piercing Index Rating
Discovered by
Ronen Shustin, Shir Tamari, Wiz