Lucene search

K

PostgreSQL Global Development GroupPOSTGRESQL:CVE-2023-39418

HistoryAug 10, 2023 - 12:00 a.m.

Vulnerability in core server (CVE-2023-39418)

2023-08-1000:00:00

PostgreSQL Global Development Group

www.postgresql.org

1

postgresql

vulnerability

cve-2023-39418

`merge` command

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

7.1

Confidence

Low

MERGE fails to enforce UPDATE or SELECT row security policies

PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy.

The PostgreSQL project thanks Dean Rasheed for reporting this problem.

Affected configurations

Vulners

Node

postgresqlpostgresqlRange<15.4

VendorProductVersionCPE
postgresqlpostgresql*cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

References

www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

CVSS3

4.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

AI Score

7.1

Confidence

Low

Related for POSTGRESQL:CVE-2023-39418

cvelist1 redhatcve1 nessus20 openvas7 debiancve1 kaspersky1 osv8 alpinelinux1 nvd1 cve1 freebsd1 veracode1 ubuntucve1 prion1 ibm2 ubuntu1 cloudfoundry1 mageia1 redos1 redhat4 oraclelinux2 rocky1 debian1 almalinux2 ics1