The installer writes a password to a temporary file in its installation directory, creates initial databases, and deletes the file. During those seconds while the file exists, a local attacker can read the superuser password from the file.
Acknowledgments: Name: the PostgreSQL project Upstream: Noah Misch
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10210
External References: https://www.postgresql.org/about/news/1960/