Vulnerability Details : CVE-2023-5870
A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.
Vulnerability category: Denial of service
Products affected by CVE-2023-5870
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:8.6_aarch64:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.0_aarch64:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.0_s390x:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.8_aarch64:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_eus_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:codeready_linux_builder_eus_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:16.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5870
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 56 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5870
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.4
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H |
0.7
|
3.6
|
NIST | |
2.2
|
LOW | CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L |
0.7
|
1.4
|
Red Hat, Inc. |
CWE ids for CVE-2023-5870
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2023-5870
-
https://access.redhat.com/errata/RHSA-2023:7714
RHSA-2023:7714 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7616
RHSA-2023:7616 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7772
RHSA-2023:7772 - Security Advisory - Red Hat カスタマーポータルThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7784
RHSA-2023:7784 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7581
RHSA-2023:7581 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7885
RHSA-2023:7885 - Security Advisory - Red Hat カスタマーポータル
-
https://www.postgresql.org/support/security/CVE-2023-5870/
PostgreSQL: CVE-2023-5870: Role "pg_signal_backend" can signal certain superuser processesVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:7545
RHSA-2023:7545 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7666
RHSA-2023:7666 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7770
RHSA-2023:7770 - Security Advisory - Red Hat カスタマーポータルThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:0337
RHSA-2024:0337 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7785
RHSA-2023:7785 - Security Advisory - Red Hat Customer Portal
-
https://security.netapp.com/advisory/ntap-20240119-0003/
December 2023 PostgreSQL Vulnerabilities in NetApp Products | NetApp Product Security
-
https://access.redhat.com/errata/RHSA-2023:7667
RHSA-2023:7667 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2247170
2247170 – (CVE-2023-5870) CVE-2023-5870 postgresql: Role pg_signal_backend can signal certain superuser processes.Issue Tracking
-
https://access.redhat.com/errata/RHSA-2023:7695
RHSA-2023:7695 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:0304
RHSA-2024:0304 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7884
RHSA-2023:7884 - Security Advisory - Red Hat Customer Portal
-
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
PostgreSQL: PostgreSQL 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22 Released!Release Notes
-
https://access.redhat.com/errata/RHSA-2023:7579
RHSA-2023:7579 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7883
RHSA-2023:7883 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7580
RHSA-2023:7580 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7656
RHSA-2023:7656 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7694
RHSA-2023:7694 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/security/cve/CVE-2023-5870
CVE-2023-5870- Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2024:0332
RHSA-2024:0332 - Security Advisory - Red Hat Customer Portal
Jump to