Yu Kunpeng

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 17.0 through 17.9 PostgreSQL versions 18.0 through 18.3 **Description** SQL injection in the `pg createsubscriber` function allows an attacker with `pg create subscription` rights to execute arbitrary SQL commands with superuser privileges. The attack is triggered when `pg createsubscriber` is subsequently executed. **Recommendations** Update PostgreSQL version 17 to 17.10. Update PostgreSQL version 18 to 18.4.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 18.4 PostgreSQL versions prior to 17.10 PostgreSQL versions prior to 16.14 PostgreSQL versions prior to 15.18 PostgreSQL versions prior to 14.23 **Description** The use of the dangerous function `PQfn(..., result is int=0, ...)` within the libpq `lo export()`, `lo read()`, `lo lseek64()`, and `lo tell64()` functions allows a server superuser to overwrite a client stack buffer with an arbitrarily-large response. This occurs because the function stores server-determined data of arbitrary length into a buffer of unspecified size. Consequently, since the `lo export` command in psql and pg dump utilize `lo read()`, a server superuser can overwrite the stack memory of psql or pg dump. **Recommendations** Update to version 18.4 or later. Update to version 17.10 or later. Update to version 16.14 or later. Update to version 15.18 or later. Update to version 14.23 or later.