CVE-2023-39418

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 15 and later

Description A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows. This issue is related to shortcomings in access control.

Recommendations For PostgreSQL version 15, consider disabling the MERGE command until a patch is available to prevent exploitation of this issue. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1220CWE-264

Related Identifiers

ALSA-2023:7785

ALSA-2023:7884

ALT-PU-2023-4805

ALT-PU-2023-4810

ALT-PU-2023-4814

ALT-PU-2023-4815

ALT-PU-2023-5156

ALT-PU-2023-5157

ALT-PU-2023-5633

ALT-PU-2023-5637

BDU:2023-04768

BIT-POSTGRESQL-2023-39418

CESA-2023_7884

CLEANSTART-2026-FW42039

CLEANSTART-2026-HJ04971

CVE-2023-39418

DSA-5553-1

ECHO-108E-F2FD-6847

MGASA-2023-0261

OESA-2023-1567

OESA-2023-1568

OESA-2023-1569

OPENSUSE-SU-2023_3347-1

OPENSUSE-SU-2024:13134-1

RHSA-2023:7785

RHSA-2023:7883

RHSA-2023:7884

RHSA-2023:7885

RHSA-2023_7785

RHSA-2023_7884

RLSA-2023:7785

ROSA-SA-2024-2486

SUSE-SU-2023:3342-1

SUSE-SU-2023:3347-1

USN-6296-1

Affected Products

Alt Linux

Almalinux

Centos

Linuxmint

Postgresql

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2023-39418

Weakness Enumeration

Related Identifiers

Affected Products

References · 161