CVE-2023-23554
8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
Uncontrolled search path element vulnerability exists in pg_ivm versions prior to 1.5.1. When refreshing an IMMV, pg_ivm executes functions without specifying schema names. Under certain conditions, pg_ivm may be tricked to execute unexpected functions from other schemas with the IMMV owner's privilege. If this vulnerability is exploited, an unexpected function provided by an attacker may be executed with the privilege of the materialized view owner.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| IVM Development Group | pg_ivm | versions prior to 1.5.1 | affected |
Weaknesses
- Uncontrolled search path element
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/sraoss/pg_ivm
- https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1
- https://jvn.jp/en/jp/JVN19872280/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://github.com/sraoss/pg_ivm
- https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1
- https://jvn.jp/en/jp/JVN19872280/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.