Vulnerability Details : CVE-2023-39418
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Products affected by CVE-2023-39418
- cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
Threat overview for CVE-2023-39418
Top countries where our scanners detected CVE-2023-39418
Top open port discovered on systems with this issue
80
IPs affected by CVE-2023-39418 3,855
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2023-39418!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2023-39418
0.44%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 62 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-39418
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
2.8
|
1.4
|
NIST | |
|
3.1
|
LOW | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
1.6
|
1.4
|
Red Hat, Inc. |
CWE ids for CVE-2023-39418
-
The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.Assigned by: secalert@redhat.com (Primary)
References for CVE-2023-39418
-
https://security.netapp.com/advisory/ntap-20230915-0002/
August 2023 PostgreSQL Vulnerabilities in NetApp Products | NetApp Product Security
-
https://access.redhat.com/errata/RHSA-2023:7885
RHSA-2023:7885 - Security Advisory - Red Hat カスタマーポータルThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7785
RHSA-2023:7785 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cb2ae5741f2458a474ed3c31458d242e678ff229
git.postgresql.org Git - postgresql.git/commitdiffMailing List;Patch
-
https://bugzilla.redhat.com/show_bug.cgi?id=2228112
2228112 – (CVE-2023-39418) CVE-2023-39418 postgresql: MERGE fails to enforce UPDATE or SELECT row security policiesIssue Tracking;Patch;Third Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7884
RHSA-2023:7884 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://www.debian.org/security/2023/dsa-5553
Debian -- Security Information -- DSA-5553-1 postgresql-15
-
https://access.redhat.com/errata/RHSA-2023:7883
RHSA-2023:7883 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/security/cve/CVE-2023-39418
CVE-2023-39418- Red Hat Customer PortalThird Party Advisory
-
https://www.postgresql.org/support/security/CVE-2023-39418/
PostgreSQL: CVE-2023-39418: MERGE fails to enforce UPDATE or SELECT row security policiesVendor Advisory
Jump to