Postgresql: memory disclosure in aggregate function calls
CVE-2023-5868
4.3MEDIUM
Key Information:
- Vendor
- Red Hat
- Status
- Vendor
- CVE Published:
- 10 December 2023
Summary
A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
Affected Version(s)
Red Hat Advanced Cluster Security 4.2 4.2.4-6
Red Hat Advanced Cluster Security 4.2 4.2.4-6
Red Hat Advanced Cluster Security 4.2 4.2.4-7
References
CVSS V3.1
Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database
Credit
Upstream acknowledges Jingzhou Fu as the original reporter.