Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-5869
HistoryNov 15, 2023 - 12:00 a.m.

CVE-2023-5869

2023-11-1500:00:00
ubuntu.com
ubuntu.com
39
postgresql
remote code execution
sql array modification
integer overflow
memory read
memory write
cve-2023-5869

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.015

Percentile

86.7%

A flaw was found in PostgreSQL that allows authenticated database users to
execute arbitrary code through missing overflow checks during SQL array
value modification. This issue exists due to an integer overflow during
array modification where a remote user can trigger the overflow by
providing specially crafted data. This enables the execution of arbitrary
code on the target system, allowing users to write arbitrary bytes to
memory and extensively read the server’s memory.

Notes

Author Note
leosilva PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpostgresql-10< 10.23-0ubuntu0.18.04.2+esm1UNKNOWN
ubuntu20.04noarchpostgresql-12< 12.17-0ubuntu0.20.04.1UNKNOWN
ubuntu22.04noarchpostgresql-14< 14.10-0ubuntu0.22.04.1UNKNOWN
ubuntu23.04noarchpostgresql-15< 15.5-0ubuntu0.23.04.1UNKNOWN
ubuntu23.10noarchpostgresql-15< 15.5-0ubuntu0.23.10.1UNKNOWN
ubuntu14.04noarchpostgresql-9.3< anyUNKNOWN
ubuntu16.04noarchpostgresql-9.5< 9.5.25-0ubuntu0.16.04.1+esm6UNKNOWN

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

8.8

Confidence

High

EPSS

0.015

Percentile

86.7%