Permissions, Privileges, and Access Controls in PostgreSQL

#VU79455 Permissions, Privileges, and Access Controls in PostgreSQL

Published: 2023-08-11 | Updated: 2024-01-30

Vulnerability identifier: #VU79455

Vulnerability risk: Low

CVSSv3.1: 3.7 [CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-39418

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due to the MERGE command does not properly enforce UPDATE or SELECT row security policies. A remote user can read or update protected data.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 15.0 - 15.3

External links
http://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

Permissions, privileges, and access controls in IBM Sterling Connect:Direct Web Services

Multiple vulnerabilities in Dell Networker

Red Hat Enterprise Linux 8 update for the postgresql:15 module

Red Hat Enterprise Linux 8.8 Extended Update Support update for the postgresql:15 module

Red Hat Enterprise Linux 9.2 Extended Update Support update for the postgresql:15 module

Red Hat Enterprise Linux 9 update for the postgresql:15 module

Multiple vulnerabilities in Index Engines CyberSense

Debian update for postgresql-15

Multiple vulnerabilities in Dell Secure Connect Gateway Policy Manager