CVE-2023-39418

Postgresql: merge fails to enforce update or select row security policies

Severity Score

4.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Se encontró una vulnerabilidad en PostgreSQL con el uso del comando MERGE, que no puede probar nuevas filas con las políticas de seguridad de filas definidas para ACTUALIZAR y SELECCIONAR. Si las políticas ACTUALIZAR y SELECCIONAR prohíben algunas filas que las políticas INSERTAR no prohíben, un usuario podría almacenar dichas filas.

It was discovered that PostgreSQL incorrectly handled certain extension script substitutions. An attacker having database-level CREATE privileges can use this issue to execute arbitrary code as the bootstrap superuser. It was discovered that PostgreSQL incorrectly handled the MERGE command. A remote attacker could possibly use this issue to bypass certain UPDATE and SELECT policies. This issue only affected Ubuntu 23.04.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-08-01 CVE Reserved
2023-08-11 CVE Published
2024-12-06 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-1220: Insufficient Granularity of Access Control

CAPEC

References (10)

URL	Tag	Source
https://security.netapp.com/advisory/ntap-20230915-0002	Third Party Advisory
https://www.debian.org/security/2023/dsa-5553	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=2228112	2023-12-20
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229	2024-02-16

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:7785	2024-02-16
https://access.redhat.com/errata/RHSA-2023:7883	2024-02-16
https://access.redhat.com/errata/RHSA-2023:7884	2024-02-16
https://access.redhat.com/errata/RHSA-2023:7885	2024-02-16
https://access.redhat.com/security/cve/CVE-2023-39418	2023-12-20
https://www.postgresql.org/support/security/CVE-2023-39418	2024-02-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Postgresql Search vendor "Postgresql"		Postgresql Search vendor "Postgresql" for product "Postgresql"				>= 15.0 < 15.4 Search vendor "Postgresql" for product "Postgresql" and version " >= 15.0 < 15.4"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				12.0 Search vendor "Debian" for product "Debian Linux" and version "12.0"		-		Affected