CVE-2023-39417

Summary

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:…@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Advanced Cluster Security 4.24.2.4-6 < *unaffected
Red HatRed Hat Advanced Cluster Security 4.24.2.4-6 < *unaffected
Red HatRed Hat Advanced Cluster Security 4.24.2.4-7 < *unaffected
Red HatRed Hat Advanced Cluster Security 4.24.2.4-6 < *unaffected
Red HatRed Hat Advanced Cluster Security 4.24.2.4-7 < *unaffected
Red HatRed Hat Enterprise Linux 88090020231114113712.a75119d5 < *unaffected
Red HatRed Hat Enterprise Linux 88090020231128173330.a75119d5 < *unaffected
Red HatRed Hat Enterprise Linux 88090020231114113548.a75119d5 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Advanced Update Support8020020231128165246.4cda2c84 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Telecommunications Update Service8020020231128165246.4cda2c84 < *unaffected
Red HatRed Hat Enterprise Linux 8.2 Update Services for SAP Solutions8020020231128165246.4cda2c84 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support8040020231127153301.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support8040020231127154806.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Service8040020231127153301.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Telecommunications Update Service8040020231127154806.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutions8040020231127153301.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.4 Update Services for SAP Solutions8040020231127154806.522a0ee4 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support8060020231114115246.ad008a3a < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support8060020231128165328.ad008a3a < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support8080020231114105206.63b34585 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support8080020231128165335.63b34585 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support8080020231113134015.63b34585 < *unaffected
Red HatRed Hat Enterprise Linux 90:13.13-1.el9_3 < *unaffected
Red HatRed Hat Enterprise Linux 99030020231120082734.rhel9 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:13.13-1.el9_0 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support0:13.13-1.el9_2 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support9020020231115020618.rhel9 < *unaffected
Red HatRed Hat Software Collections for Red Hat Enterprise Linux 70:12.17-1.el7 < *unaffected
Red HatRed Hat Software Collections for Red Hat Enterprise Linux 70:13.13-1.el7 < *unaffected
Red HatRHACS-3.74-RHEL-83.74.8-9 < *unaffected
Red HatRHACS-3.74-RHEL-83.74.8-9 < *unaffected
Red HatRHACS-3.74-RHEL-83.74.8-7 < *unaffected
Red HatRHACS-3.74-RHEL-83.74.8-9 < *unaffected
Red HatRHACS-3.74-RHEL-83.74.8-9 < *unaffected
Red HatRHACS-4.1-RHEL-84.1.6-6 < *unaffected
Red HatRHACS-4.1-RHEL-84.1.6-6 < *unaffected
Red HatRHACS-4.1-RHEL-84.1.6-6 < *unaffected
Red HatRHACS-4.1-RHEL-84.1.6-6 < *unaffected
Red HatRHACS-4.1-RHEL-84.1.6-6 < *unaffected

Weaknesses

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References