Description Patrick Lauer 2023-08-14 06:30:19 UTC

CVE-2023-39417: Extension script @substitutions@ within quoting allow SQL injection.

Supported, Vulnerable Versions: 11 - 15. The security team typically does not test unsupported versions, but this problem is quite old.

An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

The PostgreSQL project thanks Micah Gate, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem.
CVE-2023-39418: MERGE fails to enforce UPDATE or SELECT row security policies.

Supported, Vulnerable Versions: 15.

PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy.

The PostgreSQL project thanks Dean Rasheed for reporting this problem.