Postgresql: extension script @substitutions@ within quoting allow sql injection
CVE-2023-39417
Key Information:
- Vendor
- Red Hat
- Status
- Vendor
- CVE Published:
- 11 August 2023
Summary
This vulnerability in PostgreSQL allows for SQL Injection when specific quoting constructs are employed with certain extension strings (e.g., @extowner@, @extschema@). If an administrator has installed a vulnerable non-bundled extension, an attacker possessing database-level CREATE privileges can exploit this flaw to execute arbitrary commands, potentially gaining privileges as a bootstrap superuser. Organizations must ensure that they are protecting against this risk by assessing their use of PostgreSQL extensions and applying necessary mitigations.
Affected Version(s)
Red Hat Advanced Cluster Security 4.2 4.2.4-6
Red Hat Advanced Cluster Security 4.2 4.2.4-6
Red Hat Advanced Cluster Security 4.2 4.2.4-7
References
EPSS Score
8% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved