===================================================================== CERT-Renater Note d'Information No. 2023/VULN193 _____________________________________________________________________ DATE : 12/05/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running postgresql version prior to 15.3, 14.8, 13.11, 12.15, 11.20. ===================================================================== https://www.postgresql.org/support/security/CVE-2023-2455/ https://www.postgresql.org/support/security/CVE-2023-2454/ _____________________________________________________________________ CVE-2023-2455 Row security policies disregard user ID changes after inlining While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. The PostgreSQL project thanks Wolfgang Walther for reporting this problem. Version Information Affected Version Fixed In Fix Published 15 15.3 2023-05-11 14 14.8 2023-05-11 13 13.11 2023-05-11 12 12.15 2023-05-11 11 11.20 2023-05-11 For more information about PostgreSQL versioning, please visit the versioning page. CVSS 3.0 Overall Score 4.2 Component core server Vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Reporting Security Vulnerabilities If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org. For reporting non-security bugs, please see the Report a Bug page. _____________________________________________________________________ CVE-2023-2454 CREATE SCHEMA ... schema_element defeats protective search_path changes This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users. The PostgreSQL project thanks Alexander Lakhin for reporting this problem. Version Information Affected Version Fixed In Fix Published 15 15.3 2023-05-11 14 14.8 2023-05-11 13 13.11 2023-05-11 12 12.15 2023-05-11 11 11.20 2023-05-11 For more information about PostgreSQL versioning, please visit the versioning page. CVSS 3.0 Overall Score 7.2 Component core server Vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Reporting Security Vulnerabilities If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org. For reporting non-security bugs, please see the Report a Bug page. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================