Sven Klemm

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 18.4 PostgreSQL versions prior to 17.10 PostgreSQL versions prior to 16.14 PostgreSQL versions prior to 15.18 PostgreSQL versions prior to 14.23 **Description** Integer wraparound in multiple server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This can lead to arbitrary code execution as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the input provider may cause a segmentation fault, which is an error occurring when a program attempts to access a memory location that it is not allowed to access. **Recommendations** Update to version 18.4 or later. Update to version 17.10 or later. Update to version 16.14 or later. Update to version 15.18 or later. Update to version 14.23 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL (affected versions not specified) **Description** A vulnerability was found in PostgreSQL that allows an attacker to run arbitrary code as the victim role, which may be a superuser. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. The flaw is related to errors when using OR commands with extensions, which can allow a remote attacker to elevate their privileges and replace arbitrary objects in the database. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 13.2 PostgreSQL versions prior to 12.6 PostgreSQL versions prior to 11.11 PostgreSQL versions prior to 10.16 PostgreSQL versions prior to 9.6.21 PostgreSQL versions prior to 9.5.25 **Description** A flaw was found in PostgreSQL that allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. This issue is related to shortcomings in the authorization mechanism, which can be exploited by a remote attacker to gain unauthorized access to protected information. **Recommendations** For versions prior to 13.2, update to version 13.2 or later. For versions prior to 12.6, update to version 12.6 or later. For versions prior to 11.11, update to version 11.11 or later. For versions prior to 10.16, update to version 10.16 or later. For versions prior to 9.6.21, update to version 9.6.21 or later. For versions prior to 9.5.25, update to version 9.5.25 or later.