Multiple vulnerabilities in PostgreSQL

Published: 2023-08-11

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2023-39417 CVE-2023-39418
CWE-ID	CWE-89 CWE-264
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	PostgreSQL Server applications / Database software
Vendor	PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) SQL injection

EUVDB-ID: #VU79454

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2023-39417

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary SQL queries in database.

The vulnerability exists due to insufficient sanitization of user-supplied data within the extension script @substitutions@, which uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct. A remote attacker can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 11.0 - 15.3

CPE2.3

cpe:2.3:a:postgresql_global_development_group:postgresql:15.3:*:*:*:*:*:*:*

External links

http://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU79455

Risk: Low