Vulnerability CVE-2023-39417: Information

Description

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Fixed packages

References to Advisories, Solutions, and Tools

1. Affected configurations:

   1. Configuration 1

      cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

      Start including

      11.0

      End excliding

      11.21

      ---

      cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

      Start including

      15.0

      End excliding

      15.4

      ---

      cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

      Start including

      14.0

      End excliding

      14.9

      ---

      cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

      Start including

      13.0

      End excliding

      13.12

      ---

      cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

      Start including

      12.0

      End excliding

      12.16

      ---

      Configuration 2

      cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

      ---

      Configuration 3

      cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

      ---

      cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*

      ---