CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

Published: 8/11/2023 Last updated: 12/6/2024 Reserved: 8/1/2023

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CNA assigner: redhat (53f830b8-0a3f-465b-8143-3b8a9948e749) Requested by: n/a

Metrics

Version	Score	Severity	Vector String
3.1	3.1	Low	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Opam packages affected (5)

conf-mingw-w64-postgresql-i686 conf-mingw-w64-postgresql-x86_64 conf-postgresql ocsigen-start postgresql

Products affected (13)

Product	Vendor	Version
Red Hat Enterprise Linux 9	Red Hat	<= MSLBD.230.341
Red Hat Enterprise Linux 6	Red Hat	< https://aka.ms/OfficeSecurityReleases
Red Hat Enterprise Linux 7	Red Hat	22.0 ap357595
Red Hat Enterprise Linux 8	Red Hat	< e60f62f75c99740a28e2bf7e6044086033012a16
Red Hat Enterprise Linux 8	Red Hat	< d659b715e94ac039803d7601505d3473393fc0be
Red Hat Enterprise Linux 8	Red Hat	SD 455
Red Hat Enterprise Linux 8	Red Hat	< 5.5.6
Red Hat Enterprise Linux 8.8 Extended Update Support	Red Hat	n/a
Red Hat Enterprise Linux 9	Red Hat	n/a
Red Hat Enterprise Linux 9.2 Extended Update Support	Red Hat	n/a
Red Hat Software Collections	Red Hat	=1.2.0
Red Hat Software Collections	Red Hat	22.0 ap351682
Red Hat Software Collections	Red Hat	5.17

CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

Metrics

Opam packages affected (5)

Products affected (13)

References (18)