openEuler 22.03 LTS update for libpq
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2023-2454 CVE-2023-2455 CVE-2023-39418 |
| CWE-ID | CWE-264 CWE-254 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
openEuler Operating systems & Components / Operating system libpq-devel Operating systems & Components / Operating system package or component libpq-debuginfo Operating systems & Components / Operating system package or component libpq-debugsource Operating systems & Components / Operating system package or component libpq Operating systems & Components / Operating system package or component |
| Vendor | openEuler |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU76041
Risk: Medium
CVSSv4.0: 6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2023-2454
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to execute arbitrary code on the system.
The vulnerability exists due to improperly imposed security restrictions. A remote database user with CREATE privilege can bypass protective search_path changes via "CREATE SCHEMA ... schema_element" command and execute arbitrary code on the system.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
libpq-devel: before 13.12-1
libpq-debuginfo: before 13.12-1
libpq-debugsource: before 13.12-1
libpq: before 13.12-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS:*:*:*:*:*:*
- cpe:2.3:o:openeuler:libpq-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1569
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU76042
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-2455
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to incomplete fix for #VU40402 (CVE-2016-2193) that did not anticipate a scenario involving function inlining. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications.
This affects only databases that have used CREATE POLICY to define a row security policy.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
libpq-devel: before 13.12-1
libpq-debuginfo: before 13.12-1
libpq-debugsource: before 13.12-1
libpq: before 13.12-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS:*:*:*:*:*:*
- cpe:2.3:o:openeuler:libpq-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1569
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU79455
Risk: Low
CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-39418
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to the MERGE command does not properly enforce UPDATE or SELECT row security policies. A remote user can read or update protected data.
Install updates from vendor's repository.
Vulnerable software versionsopenEuler: 22.03 LTS
libpq-devel: before 13.12-1
libpq-debuginfo: before 13.12-1
libpq-debugsource: before 13.12-1
libpq: before 13.12-1
CPE2.3- cpe:2.3:o:openeuler:openeuler:22.03:LTS:*:*:*:*:*:*
- cpe:2.3:o:openeuler:libpq-devel:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debuginfo:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq-debugsource:*:*:*:*:*:openeuler:*:*
- cpe:2.3:o:openeuler:libpq:*:*:*:*:*:openeuler:*:*
https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1569
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
