CVE-2023-39418: Postgresql: merge fails to enforce update or select row security policies

Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Classification

CVE ID: CVE-2023-39418

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 8

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.5% (probability of being exploited)

EPSS Percentile: 76.25% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

References

https://access.redhat.com/errata/RHSA-2023:7785
https://access.redhat.com/errata/RHSA-2023:7883
https://access.redhat.com/errata/RHSA-2023:7884
https://access.redhat.com/errata/RHSA-2023:7885
https://access.redhat.com/security/cve/CVE-2023-39418
https://bugzilla.redhat.com/show_bug.cgi?id=2228112
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
https://www.postgresql.org/support/security/CVE-2023-39418/

Timeline

2024-12-04 00:11:17 UTC
CVE

Postgresql: merge fails to enforce update or select row security policies