CVE-2023-2454

Name
CVE-2023-2454
Description
schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
NVD Severity
unknown
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://access.redhat.com/security/cve/CVE-2023-2454
MISC https://www.postgresql.org/support/security/CVE-2023-2454/
CONFIRM https://security.netapp.com/advisory/ntap-20230706-0006/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 15.0 < 15.3
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 14.0 < 14.8
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 13.0 < 13.11
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 12.0 < 12.15
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 11.0 < 11.20

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
postgresql12 3.17-community 12.15-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql13 3.17-community 13.11-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql 3.14-main 13.11-r0 Jakub Jirutka <jakub@jirutka.cz> fixed