4.3

CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PostgresqlPostgresql Version >= 15.0 < 15.4
RedhatEnterprise Linux Version8.0
RedhatEnterprise Linux Version9.0
DebianDebian Linux Version12.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.96% 0.571
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 2.8 1.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
secalert@redhat.com 3.1 1.6 1.4
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE-1220 Insufficient Granularity of Access Control

The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.

https://access.redhat.com/errata/RHSA-2023:7785
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7883
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7884
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7885
Third Party Advisory
https://security.netapp.com/advisory/ntap-20230915-0002/
https://www.debian.org/security/2023/dsa-5553
https://access.redhat.com/security/cve/CVE-2023-39418
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2228112
Patch
Third Party Advisory
Issue Tracking
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
Patch
Mailing List
https://www.postgresql.org/support/security/CVE-2023-39418/
Vendor Advisory