[talkingquickly]

From the FAQ:

Who is most at risk:

"Any system that allows unrestricted access to the PostgreSQL network port, such as users running PostgreSQL on a public cloud, is especially vulnerable. Users whose servers are only accessible on protected internal networks, or who have effective firewalling or other network access restrictions, are less vulnerable."

So looks like it's low risk but they're not willing to say no risk.

[vidarh]

The reason they are not willing to say no risk is presumably that if you don't upgrade, then any other security vulnerability that allows an attacker to trigger a network connection with a suitable payload to port 5432 (or any other ports you may have Postgres on) on your hosts could still be harmful.

That means anything that gives local shell as any user that run normal tools, but potentially also a lot of other things.

E.g. any software that can be tricked to try to connect to a local address/port pair and send a suitable string.

That dramatically escalates any minor little hole that might otherwise not be a risk for you.

(That's a reminder to always verify before trusting any hostname/IP a user passes you that it's not a local address or address you have privileged access to, and to also consider internally firewalling connections between your various hosts down to just what you need)