5.4
CVE-2023-2455
- EPSS 0.21%
- Published 09.06.2023 19:15:09
- Last modified 06.01.2025 18:15:13
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Data is provided by the National Vulnerability Database (NVD)
Postgresql ≫ Postgresql Version >= 11.0 < 11.20
Postgresql ≫ Postgresql Version >= 12.0 < 12.15
Postgresql ≫ Postgresql Version >= 13.0 < 13.11
Postgresql ≫ Postgresql Version >= 14.0 < 14.8
Postgresql ≫ Postgresql Version >= 15.0 < 15.3
Redhat ≫ Software Collections Version-
Redhat ≫ Enterprise Linux Version8.0
Redhat ≫ Enterprise Linux Version9.0
Fedoraproject ≫ Fedora Version38
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.441 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.