PT-2023-4423 · Unknown+10 · Postgresql+9

Dean Rasheed

Publicado

2023-08-01

Atualizado

2026-01-30

CVE-2023-39418

CVSS v3.1

4.3

Média

Vetor

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 15 and later

Description A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows. This issue is related to shortcomings in access control.

Recommendations For PostgreSQL version 15, consider disabling the MERGE command until a patch is available to prevent exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-1220CWE-264

Identificadores relacionados

ALSA-2023:7785

ALSA-2023:7884

ALT-PU-2023-4805

ALT-PU-2023-4810

ALT-PU-2023-4814

ALT-PU-2023-4815

ALT-PU-2023-5156

ALT-PU-2023-5157

ALT-PU-2023-5633

ALT-PU-2023-5637

BDU:2023-04768

BIT-POSTGRESQL-2023-39418

CESA-2023_7884

CLEANSTART-2026-FW42039

CLEANSTART-2026-HJ04971

CVE-2023-39418

DSA-5553-1

ECHO-108E-F2FD-6847

MGASA-2023-0261

OESA-2023-1567

OESA-2023-1568

OESA-2023-1569

OPENSUSE-SU-2023_3347-1

OPENSUSE-SU-2024:13134-1

RHSA-2023:7785

RHSA-2023:7883

RHSA-2023:7884

RHSA-2023:7885

RHSA-2023_7785

RHSA-2023_7884

RLSA-2023:7785

ROSA-SA-2024-2486

SUSE-SU-2023:3342-1

SUSE-SU-2023:3347-1

USN-6296-1

Produtos afetados

Alt Linux

Almalinux

Centos

Linuxmint

Postgresql

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

PT-2023-4423 · Unknown+10 · Postgresql+9

CVE-2023-39418

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 161