CVE-2023-39418

2023-08-1113:15:09

Debian Security Bug Tracker

security-tracker.debian.org

postgresql

vulnerability

merge command

row security policies

insert

update

select

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

36.4%

JSON

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

OSVersionArchitecturePackageVersionFilename
Debian10allpostgresql-11< 11.16-0+deb10u1postgresql-11_11.16-0+deb10u1_all.deb
Debian11allpostgresql-13< 13.13-0+deb11u1postgresql-13_13.13-0+deb11u1_all.deb
Debian12allpostgresql-15< 15.5-0+deb12u1postgresql-15_15.5-0+deb12u1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	10	all	postgresql-11	< 11.16-0+deb10u1	postgresql-11_11.16-0+deb10u1_all.deb
Debian	11	all	postgresql-13	< 13.13-0+deb11u1	postgresql-13_13.13-0+deb11u1_all.deb
Debian	12	all	postgresql-15	< 15.5-0+deb12u1	postgresql-15_15.5-0+deb12u1_all.deb