Vulnerability CVE-2023-2455: Information

Description

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-2455
Published: June 9, 2023
Modified: July 6, 2023

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
postgresql11p1011.20-alt0.p10.111.22-alt0.p10.1ALT-PU-2023-1856-1320241Fixed
postgresql11p10_e2k11.20-alt0.p10.111.22-alt0.p10.1ALT-PU-2023-3649-1-Fixed
postgresql11p911.20-alt0.M90P.111.22-alt0.M90P.1ALT-PU-2023-1918-1320244Fixed
postgresql11c10f111.21-alt0.p10.111.22-alt0.p10.1ALT-PU-2023-5198-3328071Fixed
postgresql11c9f211.21-alt0.M90P.111.22-alt0.M90P.1ALT-PU-2023-6628-3332751Fixed
postgresql12sisyphus12.15-alt112.18-alt1ALT-PU-2023-1777-1320166Fixed
postgresql12sisyphus_e2k12.15-alt112.18-alt1ALT-PU-2023-3497-1-Fixed
postgresql12sisyphus_riscv6412.15-alt0.1.rv6412.18-alt1ALT-PU-2023-3933-1-Fixed
postgresql12p1012.15-alt0.p10.112.18-alt0.p10.1ALT-PU-2023-1857-1320241Fixed
postgresql12p10_e2k12.15-alt0.p10.112.18-alt0.p10.1ALT-PU-2023-3650-1-Fixed
postgresql12p912.15-alt0.M90P.112.18-alt0.M90P.1ALT-PU-2023-1917-1320244Fixed
postgresql12c10f112.16-alt0.p10.112.18-alt0.p10.1ALT-PU-2023-5634-3329540Fixed
postgresql12c9f212.16-alt0.M90P.112.18-alt0.c9f2.1ALT-PU-2023-6630-3332751Fixed
postgresql12-1Cp912.14-alt0.M90P.312.17-alt0.M90P.2ALT-PU-2023-1919-1320244Fixed
postgresql12-1Cc9f212.15-alt0.M90P.112.17-alt0.c9f2.2ALT-PU-2023-6629-3332751Fixed
postgresql13sisyphus13.11-alt113.14-alt1ALT-PU-2023-1778-1320166Fixed
postgresql13sisyphus_e2k13.11-alt113.14-alt1ALT-PU-2023-3498-1-Fixed
postgresql13sisyphus_riscv6413.11-alt0.1.rv6413.14-alt1ALT-PU-2023-3932-1-Fixed
postgresql13p1013.11-alt0.p10.113.14-alt0.p10.1ALT-PU-2023-1858-1320241Fixed
postgresql13p10_e2k13.11-alt0.p10.113.14-alt0.p10.1ALT-PU-2023-3651-1-Fixed
postgresql13c10f113.12-alt0.p10.113.14-alt0.p10.1ALT-PU-2023-5635-3329540Fixed
postgresql14sisyphus14.8-alt114.11-alt1ALT-PU-2023-1779-1320166Fixed
postgresql14sisyphus_e2k14.8-alt114.11-alt1ALT-PU-2023-3499-1-Fixed
postgresql14sisyphus_riscv6414.8-alt0.1.rv6414.11-alt1ALT-PU-2023-3931-1-Fixed
postgresql14p1014.8-alt0.p10.114.11-alt0.p10.1ALT-PU-2023-1859-1320241Fixed
postgresql14p10_e2k14.8-alt0.p10.114.11-alt0.p10.1ALT-PU-2023-3652-1-Fixed
postgresql14c10f114.9-alt0.p10.114.11-alt0.p10.1ALT-PU-2023-5636-3329540Fixed
postgresql15sisyphus15.3-alt115.6-alt1ALT-PU-2023-1775-1320166Fixed
postgresql15sisyphus_e2k15.3-alt115.6-alt1ALT-PU-2023-3495-1-Fixed
postgresql15sisyphus_riscv6415.3-alt0.1.rv6415.6-alt1ALT-PU-2023-3930-1-Fixed
postgresql15p1015.3-alt0.p10.115.6-alt0.p10.1ALT-PU-2023-1855-1320241Fixed
postgresql15p10_e2k15.3-alt0.p10.115.6-alt0.p10.1ALT-PU-2023-3648-1-Fixed
postgresql15c10f115.4-alt0.p10.115.6-alt0.c10.1ALT-PU-2023-5633-3329540Fixed
postgresql15-1Csisyphus15.3-alt115.5-alt4ALT-PU-2023-1780-1320166Fixed
postgresql15-1Csisyphus_e2k15.3-alt115.5-alt4ALT-PU-2023-3500-1-Fixed
postgresql15-1Cp1015.3-alt0.p10.115.5-alt0.p10.3ALT-PU-2023-1860-1320241Fixed
postgresql15-1Cp10_e2k15.3-alt0.p10.115.5-alt0.p10.3ALT-PU-2023-3653-1-Fixed
postgresql15-1Cc10f115.4-alt0.p10.115.5-alt0.p10.3ALT-PU-2023-5637-3329540Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://access.redhat.com/security/cve/CVE-2023-2455
  • Third Party Advisory
https://www.postgresql.org/support/security/CVE-2023-2455/
  • Vendor Advisory
https://security.netapp.com/advisory/ntap-20230706-0006/

      1. Configuration 1

        cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
        Start including
        15.0
        End excliding
        15.3
        cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
        Start including
        14.0
        End excliding
        14.8
        cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
        Start including
        13.0
        End excliding
        13.11
        cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
        Start including
        12.0
        End excliding
        12.15
        cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
        Start including
        11.0
        End excliding
        11.20

        Configuration 2

        cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
        cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*
        cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

        Configuration 3

        cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
    VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
    Version: v24.5.0
    Back to top