CVE-2023-39418 — Insufficient Granularity of Access Control in Postgresql

CWE-1220 — Insufficient Granularity of Access Control9 documents8 sources

Severity

4.3MEDIUMNVD

CNA3.1OSV8.8

EPSS

0.4%

top 36.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Linux Redhat Enterprise Linux

Timeline

PublishedAug 11

Latest updateFeb 15

Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

▶NVDpostgresql/postgresql15.0 — 15.4

Also affects: Debian Linux 12.0, Enterprise Linux 8.0, 9.0

Patches

Patch: bugzilla.redhat.com ↗Patch: git.postgresql.org ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

postgresql-12, postgresql-14, postgresql-15 vulnerabilities↗2023-08-17

▶

GHSA

GHSA-chgx-7cw3-hr55: A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDA↗2023-08-11

▶

CVEList

Postgresql: merge fails to enforce update or select row security policies↗2023-08-11

▶

OSV

CVE-2023-39418: A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDA↗2023-08-11

▶

📋Vendor Advisories

CISA ICS

Siemens SINEC NMS↗2024-02-15

▶

Ubuntu

PostgreSQL vulnerabilities↗2023-08-17

▶

Red Hat

postgresql: MERGE fails to enforce UPDATE or SELECT row security policies↗2023-08-10

▶

Debian

CVE-2023-39418: postgresql-13 - A vulnerability was found in PostgreSQL with the use of the MERGE command, which...↗2023

▶