CVE-2023-39418

CVE-2023-39418

Name

CVE-2023-39418

Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
MISC	https://access.redhat.com/security/cve/CVE-2023-39418
MISC	https://www.postgresql.org/support/security/CVE-2023-39418/
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=2228112
MISC	https://security.netapp.com/advisory/ntap-20230915-0002/
	https://www.debian.org/security/2023/dsa-5553
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:7785
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:7883
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:7884
secalert@redhat.com	https://access.redhat.com/errata/RHSA-2023:7885

Type

URI

MISC

https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229

MISC

https://access.redhat.com/security/cve/CVE-2023-39418

MISC

https://www.postgresql.org/support/security/CVE-2023-39418/

MISC

https://bugzilla.redhat.com/show_bug.cgi?id=2228112

MISC

https://security.netapp.com/advisory/ntap-20230915-0002/

https://www.debian.org/security/2023/dsa-5553

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2023:7785

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2023:7883

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2023:7884

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2023:7885

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 15.0	< 15.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

postgresql

>= 15.0

< 15.4

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
postgresql15	edge-main	15.4-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	edge-community	15.4-r0	None	fixed
postgresql15	3.22-community	15.4-r0	None	fixed
postgresql15	3.21-community	15.4-r0	None	fixed
postgresql15	3.20-main	15.4-r0	None	fixed
postgresql15	3.19-main	15.4-r0	None	fixed
postgresql15	3.18-main	15.4-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	3.17-main	15.4-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	edge-main	14.9-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	edge-community	14.9-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	3.20-community	14.9-r0	None	fixed
postgresql14	3.19-community	14.9-r0	None	fixed
postgresql14	3.18-main	14.9-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	3.17-main	14.9-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql13	edge-community	13.12-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql13	3.19-community	13.12-r0	None	fixed
postgresql13	3.18-community	13.12-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql12	edge-community	12.16-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql12	3.18-community	12.16-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed

Source package

Branch

Version

Maintainer

Status

postgresql15

edge-main

15.4-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

postgresql15

edge-community