CVE-2023-39418
3.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Enterprise Linux 8 | 8090020231114113548.a75119d5 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 8.8 Extended Update Support | 8080020231113134015.63b34585 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9 | 9030020231120082734.rhel9 < * | unaffected |
| Red Hat | Red Hat Enterprise Linux 9.2 Extended Update Support | 9020020231115020618.rhel9 < * | unaffected |
Weaknesses
- CWE-1220: Insufficient Granularity of Access Control
ADP Enrichment
CVE Program Container
Additional References
- https://access.redhat.com/errata/RHSA-2023:7785
- https://access.redhat.com/errata/RHSA-2023:7883
- https://access.redhat.com/errata/RHSA-2023:7884
- https://access.redhat.com/errata/RHSA-2023:7885
- https://access.redhat.com/security/cve/CVE-2023-39418
- https://bugzilla.redhat.com/show_bug.cgi?id=2228112
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://www.debian.org/security/2023/dsa-5553
- https://www.postgresql.org/support/security/CVE-2023-39418/
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/errata/RHSA-2023:7785
- https://access.redhat.com/errata/RHSA-2023:7883
- https://access.redhat.com/errata/RHSA-2023:7884
- https://access.redhat.com/errata/RHSA-2023:7885
- https://access.redhat.com/security/cve/CVE-2023-39418
- https://bugzilla.redhat.com/show_bug.cgi?id=2228112
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
- https://www.postgresql.org/support/security/CVE-2023-39418/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.