Postgresql: merge fails to enforce update or select row security policies
CVE-2023-39418

4.3MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Enterprise Linux 8; Red Hat Enterprise Linux 8.8 Extended Update Support; Red Hat Enterprise Linux 9; Red Hat Enterprise Linux 9.2 Extended Update Support
Vendor: CVE Published:; 11 August 2023

🔔 Create Red Hat Vulnerability Alert

What is CVE-2023-39418?

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Affected Version(s)

Red Hat Enterprise Linux 8 8090020231114113548.a75119d5

Red Hat Enterprise Linux 8.8 Extended Update Support 8080020231113134015.63b34585

Red Hat Enterprise Linux 9 9030020231120082734.rhel9

References

https://access.redhat.com/errata/RHSA-2023:7785

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:7883

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:7884

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2023
Vulnerability Reserved
Aug 1, 2023

.