CVE-2023-39418 — LOW (3.1) — White Hats Nepal

Q: How severe is CVE-2023-39418?

CVE-2023-39418 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2023-39418?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql, Redhat Enterprise Linux, Debian Debian Linux.

Vulnerability Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

CVSS Score

3.1

LOW

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Postgresql	Postgresql	>= 15.0, < 15.4
Redhat	Enterprise Linux	8.0
Debian	Debian Linux	12.0

Related Weaknesses (CWE)

CWE-1220

References

https://access.redhat.com/errata/RHSA-2023:7785Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7883Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7884Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7885Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-39418Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2228112Issue TrackingPatchThird Party Advisory
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f245Mailing ListPatch
https://www.postgresql.org/support/security/CVE-2023-39418/Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7785Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7883Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7884Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7885Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-39418Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2228112Issue TrackingPatchThird Party Advisory
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f245Mailing ListPatch

FAQ

What is CVE-2023-39418?

CVE-2023-39418 is a vulnerability with a CVSS score of 3.1 (LOW). A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbi...

How severe is CVE-2023-39418?

CVE-2023-39418 has been rated LOW with a CVSS base score of 3.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2023-39418?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql, Redhat Enterprise Linux, Debian Debian Linux.