CVE-2023-39417

Name
CVE-2023-39417
Description
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.postgresql.org/support/security/CVE-2023-39417
vdb-entry https://access.redhat.com/security/cve/CVE-2023-39417
issue-tracking https://bugzilla.redhat.com/show_bug.cgi?id=2228111
Third Party Advisory https://security.netapp.com/advisory/ntap-20230915-0002/
Mailing List https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
https://www.debian.org/security/2023/dsa-5554
https://www.debian.org/security/2023/dsa-5553
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7545
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7579
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7580
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7581
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7616
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7656
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7666
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7667
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7694
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7695
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7714
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7770
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7772
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7784
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7785
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7883
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7884
vendor-advisory https://access.redhat.com/errata/RHSA-2023:7885
vendor-advisory https://access.redhat.com/errata/RHSA-2024:0304
vendor-advisory https://access.redhat.com/errata/RHSA-2024:0332
vendor-advisory https://access.redhat.com/errata/RHSA-2024:0337

Match rules

CPE URI Source package Min version Max version
cpe:/a:redhat:advanced_cluster_security:4.2::el8 shopxo >= 4.2.4-6 < *
cpe:/a:redhat:advanced_cluster_security:4.2::el8 shopxo >= 4.2.4-7 < *
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 8090020231114113712.a75119d5 < *
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 8090020231128173330.a75119d5 < *
cpe:/a:redhat:enterprise_linux:8::appstream shopxo >= 8090020231114113548.a75119d5 < *
cpe:/a:redhat:rhel_eus:8.6::appstream shopxo >= 8060020231114115246.ad008a3a < *
cpe:/a:redhat:rhel_eus:8.6::appstream shopxo >= 8060020231128165328.ad008a3a < *
cpe:/a:redhat:rhel_eus:8.8::appstream shopxo >= 8080020231114105206.63b34585 < *
cpe:/a:redhat:rhel_eus:8.8::appstream shopxo >= 8080020231128165335.63b34585 < *
cpe:/a:redhat:rhel_eus:8.8::appstream shopxo >= 8080020231113134015.63b34585 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 9030020231120082734.rhel9 < *
cpe:/a:redhat:rhel_eus:9.2::appstream shopxo >= 0:13.13-1.el9_2 < *
cpe:/a:redhat:rhel_eus:9.2::appstream shopxo >= 9020020231115020618.rhel9 < *
cpe:/a:redhat:rhel_software_collections:3::el7 shopxo >= 0:12.17-1.el7 < *
cpe:/a:redhat:rhel_software_collections:3::el7 shopxo >= 0:13.13-1.el7 < *
cpe:/a:redhat:advanced_cluster_security:3.74::el8 shopxo >= 3.74.8-9 < *
cpe:/a:redhat:advanced_cluster_security:3.74::el8 shopxo >= 3.74.8-7 < *
cpe:/a:redhat:advanced_cluster_security:4.1::el8 shopxo >= 4.1.6-6 < *
cpe:/a:redhat:rhel_eus:9.0::appstream shopxo >= 0:13.13-1.el9_0 < *
cpe:/a:redhat:rhel_e4s:8.2::appstream shopxo >= 8020020231128165246.4cda2c84 < *
cpe:/a:redhat:rhel_aus:8.4::appstream shopxo >= 8040020231127153301.522a0ee4 < *
cpe:/a:redhat:rhel_aus:8.4::appstream shopxo >= 8040020231127154806.522a0ee4 < *
cpe:/a:redhat:enterprise_linux:9::appstream shopxo >= 0:13.13-1.el9_3 < *

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
postgresql15 edge-main 15.4-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql15 edge-community 15.4-r0 None fixed
postgresql15 3.22-community 15.4-r0 None fixed
postgresql15 3.21-community 15.4-r0 None fixed
postgresql15 3.20-main 15.4-r0 None fixed
postgresql15 3.19-main 15.4-r0 None fixed
postgresql15 3.18-main 15.4-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql15 3.17-main 15.4-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql14 edge-main 14.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql14 edge-community 14.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql14 3.20-community 14.9-r0 None fixed
postgresql14 3.19-community 14.9-r0 None fixed
postgresql14 3.18-main 14.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql14 3.17-main 14.9-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql13 edge-community 13.12-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql13 3.19-community 13.12-r0 None fixed
postgresql13 3.18-community 13.12-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql12 edge-community 12.16-r0 Jakub Jirutka <jakub@jirutka.cz> fixed
postgresql12 3.18-community 12.16-r0 Jakub Jirutka <jakub@jirutka.cz> fixed