Errata ALT-PU-2023-4814-2: Information
Fixes
Published: Aug. 11, 2023
Modified: Feb. 16, 2024
Modified: Feb. 16, 2024
CVE-2023-39417
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Links:
- https://www.postgresql.org/support/security/CVE-2023-39417
- https://access.redhat.com/security/cve/CVE-2023-39417
- https://bugzilla.redhat.com/show_bug.cgi?id=2228111
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
- https://www.debian.org/security/2023/dsa-5554
- https://www.debian.org/security/2023/dsa-5553
- RHSA-2023:7545
- RHSA-2023:7579
- RHSA-2023:7580
- RHSA-2023:7581
- RHSA-2023:7616
- RHSA-2023:7656
- RHSA-2023:7666
- RHSA-2023:7667
- RHSA-2023:7694
- RHSA-2023:7695
- RHSA-2023:7714
- RHSA-2023:7770
- RHSA-2023:7772
- RHSA-2023:7784
- RHSA-2023:7785
- RHSA-2023:7883
- RHSA-2023:7884
- RHSA-2023:7885
- RHSA-2024:0304
- RHSA-2024:0332
- RHSA-2024:0337
Published: Aug. 11, 2023
Modified: Feb. 16, 2024
Modified: Feb. 16, 2024
CVE-2023-39418
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Severity: MEDIUM (4.3) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Links:
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
- https://access.redhat.com/security/cve/CVE-2023-39418
- https://www.postgresql.org/support/security/CVE-2023-39418/
- https://bugzilla.redhat.com/show_bug.cgi?id=2228112
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://www.debian.org/security/2023/dsa-5553
- RHSA-2023:7785
- RHSA-2023:7883
- RHSA-2023:7884
- RHSA-2023:7885