Row Security Policy Flaw in PostgreSQL by PostgreSQL Global Development Group
CVE-2023-2455

5.4MEDIUM

Key Information:

Vendor
Postgresql
Status
postgresql
Vendor
CVE Published:
9 June 2023

Summary

This vulnerability arises from the failure of PostgreSQL to properly manage role-specific row security policies when user IDs change during query execution. In scenarios where role-specific policies are defined, such as using security definer functions or when switching between multiple roles, incorrect policy enforcement may occur. This allows unauthorized users to execute read and modification operations that should be restricted, exploiting instances where CREATE POLICY has been applied to define these security measures. Affected databases may inadvertently permit violations of intended access controls, putting sensitive data at risk.

Affected Version(s)

postgresql PostgreSQL 15.3, PostgreSQL 14.8, PostgreSQL 13.11, PostgreSQL 12.15, PostgreSQL 11.20

References

https://access.redhat.com/security/cve/CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
https://security.netapp.com/advisory/ntap-20230706-0006/

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.