CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

Published: 8/11/2023 Last updated: 11/21/2025 Reserved: 8/1/2023

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	3.1	Low	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Version

Score

Severity

Vector String

3.1

Low

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Products affected (18)

Product	Vendor	Version
Red Hat Enterprise Linux 9	Red Hat	< 10.0.14393.7070
Red Hat Enterprise Linux 9	Red Hat	<= <= 2.2.0
Red Hat Enterprise Linux 6	Red Hat	< 10.0.19045.4529
Red Hat Enterprise Linux 7	Red Hat	< 10.0.22631.3737
Red Hat Enterprise Linux 8	Red Hat	< 10.0.22631.3737
Red Hat Enterprise Linux 8	Red Hat	< 10.0.25398.950
Red Hat Enterprise Linux 8	Red Hat	<= <= 3.7.3
Red Hat Enterprise Linux 8	Red Hat	< 10.0.10240.20680
Red Hat Enterprise Linux 8	Red Hat	<= <= 6.4.9
Red Hat Enterprise Linux 8	Red Hat	< 10.0.20348.2527
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	< 10.0.22000.3019
Red Hat Enterprise Linux 9	Red Hat	< 10.0.19044.4529
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	< 10.0.22621.3737
Red Hat Software Collections	Red Hat	< 10.0.14393.7070
Red Hat Software Collections	Red Hat	<= 1.3.15
Red Hat Software Collections	Red Hat	< 10.0.14393.7070
Red Hat Software Collections	Red Hat	<= <= 1.9.11
Red Hat Software Collections	Red Hat	< 6.0.6003.22720

Postgresql: merge fails to enforce update or select row security policies

Metrics

Opam packages affected (5)

Products affected (18)

References (36)