← Back

CVE-2023-2455

nvd nist
Published: Jun 9, 2023Modified: Jan 6, 2025

JSON object

Loading...
5.4
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Exploitability: 2.8 / Impact: 2.5
Source: NVD

Description

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Affected (9)

Postgresql
1 product
Postgresql
Redhat
2 products
Enterprise Linux
Software Collections
Fedoraproject
1 product
Fedora
Configuration A
5 vulnerable
Vulnerable SoftwareAffected Versions
Postgresql
Postgresql
From 11.0 to 11.20
Postgresql
From 12.0 to 12.15
Postgresql
From 13.0 to 13.11
Postgresql
From 14.0 to 14.8
Postgresql
From 15.0 to 15.3
Configuration B
3 vulnerable
Vulnerable SoftwareAffected Versions
Redhat
Enterprise Linux
Version 8.0
Enterprise Linux
Version 9.0
Software Collections
All versions
Configuration C
1 vulnerable
Vulnerable SoftwareAffected Versions
Fedora
Version 38

Related CWEs

CWE-20
Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (6)

Source: secalert@redhat.com
Third Party Advisory
Source: secalert@redhat.com
Source: secalert@redhat.com
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Third Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory

Timeline

No history available yet.