CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
AI Score
Confidence
Low
PostgreSQL 15 introduced the MERGE
command, which fails to test new rows against row security policies defined for UPDATE
and SELECT
. If UPDATE
and SELECT
policies forbid some row that INSERT
policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY
to define a row security policy.
The PostgreSQL project thanks Dean Rasheed for reporting this problem.
Vendor | Product | Version | CPE |
---|---|---|---|
postgresql | postgresql | * | cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* |