CVE-2023-39417

Postgresql: extension script @substitutions@ within quoting allow sql injection

Published: 8/11/2023 Last updated: 11/20/2025 Reserved: 8/1/2023

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	7.5	High	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (80)

Product	Vendor	Version
Red Hat Advanced Cluster Security 4.2	Red Hat	n/a
RHACS-3.74-RHEL-8	Red Hat	<= 4.36.11.5859
RHACS-4.1-RHEL-8	Red Hat	32-bit Systems
Red Hat Advanced Cluster Security 4.2	Red Hat	19.2.2
RHACS-3.74-RHEL-8	Red Hat	< 6.1.7601.27017
RHACS-4.1-RHEL-8	Red Hat	Android SoC
Red Hat Advanced Cluster Security 4.2	Red Hat	20.3.5
Red Hat Advanced Cluster Security 4.2	Red Hat	QCM6125
RHACS-4.1-RHEL-8	Red Hat	Adobe Acrobat Reader 2017.012.20098 and earlier versions, 2017.011.30066 and earlier versions, 2015.006.30355 and earlier versions, 11.0.22 and earlier versions
RHACS-3.74-RHEL-8	Red Hat	<= 1.1.1
RHACS-4.1-RHEL-8	Red Hat	12.2.7
RHACS-3.74-RHEL-8	Red Hat	12.2.5
RHACS-3.74-RHEL-8	Red Hat	<= 1.2.6
RHACS-4.1-RHEL-8	Red Hat	11.2.2.53575
RHACS-4.1-RHEL-8	Red Hat	< 13.5
RHACS-3.74-RHEL-8	Red Hat	QCN5124
Red Hat Advanced Cluster Security 4.2	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	20.5.1.1
RHACS-3.74-RHEL-8	Red Hat	12.2.6
RHACS-4.1-RHEL-8	Red Hat	n/a
RHACS-3.74-RHEL-8	Red Hat	n/a
RHACS-4.1-RHEL-8	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	< 10.0
RHACS-3.74-RHEL-8	Red Hat	n/a
Red Hat Advanced Cluster Security 4.2	Red Hat	QCM6490
RHACS-4.1-RHEL-8	Red Hat	QCN5154
RHACS-3.74-RHEL-8	Red Hat	QCN5152
RHACS-4.1-RHEL-8	Red Hat	<= 6.3
Red Hat Enterprise Linux 7	Red Hat	< 6.1.7601.27017
Red Hat Enterprise Linux 7	Red Hat	< 107.0.5304.62
Red Hat Enterprise Linux 6	Red Hat	prior to 73.0.3683.75
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	8.5.3
Red Hat Enterprise Linux 9.0 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	12.2.3
Red Hat Enterprise Linux 9	Red Hat	< 7.1.26
Red Hat Enterprise Linux 9.0 Extended Update Support	Red Hat	QCN5054
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	32-bit systems
Red Hat Enterprise Linux 6	Red Hat	Version 1607 for 32-bit Systems
Red Hat Enterprise Linux 8	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	12.2.8
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	(Server Core installation)
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	(Server Core installation)
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	18.4.0
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	<= 10.0.5
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	20.3.1
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	20.3.6
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	11.5.1-11.5.8
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	Versions earlier than NEM-AL10C00B356,Versions earlier than Berlin-L21HNC432B360
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	< 6.0.6003.22567
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	12.1.3
Red Hat Enterprise Linux 8.2 Advanced Update Support	Red Hat	18.3.4
Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions	Red Hat	QCN5021
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	QCN5022
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	12.1.1
Red Hat Enterprise Linux 8.2 Telecommunications Update Service	Red Hat	18.3.1
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	QCN5024
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	12.1.2
Red Hat Enterprise Linux 8	Red Hat	(Server Core installation)
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	n/a
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions	Red Hat	20.4.1
Red Hat Enterprise Linux 8.6 Extended Update Support	Red Hat	20.4.2.1
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 6.0.6003.22567
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	<= 4.9.57
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	Red Hat	20.1.3
Red Hat Enterprise Linux 8	Red Hat	20.7.2
Red Hat Enterprise Linux 8.4 Telecommunications Update Service	Red Hat	N/A
Red Hat Enterprise Linux 9	Red Hat	<= 2.4.4-p10
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	12.2.4
Red Hat Enterprise Linux 8	Red Hat	17.2.4
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	12
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	QCN5052
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	< 8.1.2
Red Hat Enterprise Linux 8	Red Hat	QCM8550
Red Hat Software Collections	Red Hat	Version. 1.09.0.0
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	<= 6.12.*
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	QCN5122
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	x64-based systems
Red Hat Software Collections for Red Hat Enterprise Linux 7	Red Hat	< 8.1.2

CVE-2023-39417

Postgresql: extension script @substitutions@ within quoting allow sql injection

Metrics

Opam packages affected (5)

Products affected (80)

References (104)