CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

Published: 8/11/2023 Last updated: 11/21/2025 Reserved: 8/1/2023

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	3.1	Low	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Version

Score

Severity

Vector String

3.1

Low

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Products affected (17)

Product	Vendor	Version
Red Hat Enterprise Linux 7	Red Hat	< 12.6
Red Hat Enterprise Linux 6	Red Hat	< 2.2.0
Red Hat Enterprise Linux 7	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	n/a
Red Hat Enterprise Linux 8	Red Hat	Windows Server 2019
Red Hat Enterprise Linux 8	Red Hat	All Shield TV versions prior to SE 9.0
Red Hat Enterprise Linux 8	Red Hat	< 8.7.17
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	2.0.0
Red Hat Enterprise Linux 8	Red Hat	< *
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	7.2.0
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	<= 2.61.0
Red Hat Software Collections	Red Hat	>= 10.0.0-beta.0, < 10.1.2
Red Hat Software Collections	Red Hat	13.0.0
Red Hat Software Collections	Red Hat	< publication

Postgresql: merge fails to enforce update or select row security policies

Metrics

Opam packages affected (5)

Products affected (17)

References (36)