BIT-postgresql-2023-5870

2024-03-0611:02:29

Google

osv.dev

postgresql

pg_cancel_backend

background workers

dos attack

software vulnerability

high privileged user

4.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

46.9%

JSON

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

CPENameOperatorVersion
postgresqlge15.0.0
postgresqllt11.22.0
postgresqlle16.0.0
postgresqlge14.0.0
postgresqlge12.0.0
postgresqllt13.13.0
postgresqlge13.0.0
postgresqllt12.17.0
postgresqllt14.10.0
postgresqllt15.5.0

Name	Operator	Version
postgresql	ge	15.0.0
postgresql	lt	11.22.0
postgresql	le	16.0.0
postgresql	ge	14.0.0
postgresql	ge	12.0.0
postgresql	lt	13.13.0
postgresql	ge	13.0.0
postgresql	lt	12.17.0
postgresql	lt	14.10.0
postgresql	lt	15.5.0