Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Related CPE's

a

postgresql

postgresql

Vulnerable

o

redhat

enterprise_linux

2

o

debian

debian_linux

12.0

Vulnerable

References

https://access.redhat.com/errata/RHSA-2023:7785

Third Party Advisory

https://access.redhat.com/errata/RHSA-2023:7883

Third Party Advisory

https://access.redhat.com/errata/RHSA-2023:7884

Third Party Advisory

https://access.redhat.com/errata/RHSA-2023:7885

Third Party Advisory

https://access.redhat.com/security/cve/CVE-2023-39418

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2228112

Issue TrackingPatchThird Party Advisory

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229

Mailing ListPatch

https://security.netapp.com/advisory/ntap-20230915-0002/

Third Party Advisory

https://www.debian.org/security/2023/dsa-5553

Third Party Advisory

https://www.postgresql.org/support/security/CVE-2023-39418/

Vendor Advisory

Weaknesses

[email protected]

Primary
NVD-CWE-noinfo

CVSS impact metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

4.3 · Medium

  • CVSS V3.1

  • CVSS V3.0

  • CVSS V2.0

Information

Source identifier

[email protected]

Vulnerability status

Analyzed

Published

2023-08-11T13:15:09.963

11 months ago

Last modified

2024-02-16T13:57:03.523

5 months ago