Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-39418
HistoryAug 11, 2023 - 12:00 a.m.

CVE-2023-39418

2023-08-1100:00:00
ubuntu.com
ubuntu.com
10
cve-2023-39418
postgresql
merge command
row security policies

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

36.3%

A vulnerability was found in PostgreSQL with the use of the MERGE command,
which fails to test new rows against row security policies defined for
UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that
INSERT policies do not forbid, a user could store such rows.

Bugs

Notes

Author Note
leosilva PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases. PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases.
mdeslaur This only affects v15
OSVersionArchitecturePackageVersionFilename
ubuntu23.04noarchpostgresql-15< 15.4-0ubuntu0.23.04.1UNKNOWN
ubuntu23.10noarchpostgresql-15< 15.4-1ubuntu1UNKNOWN

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

0.001 Low

EPSS

Percentile

36.3%