CVE-2023-39418
low-risk
Published 2023-08-11
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
Do I need to act?
-
0.44% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
3
CVSS 3.1/10
Low
NETWORK
/ HIGH complexity
Affected Products (4)
Affected Vendors
References (18)
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7785
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7883
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7884
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7885
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-39418
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2228112
Vendor Advisory
https://www.postgresql.org/support/security/CVE-2023-39418/
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7785
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7883
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7884
Third Party Advisory
https://access.redhat.com/errata/RHSA-2023:7885
Third Party Advisory
https://access.redhat.com/security/cve/CVE-2023-39418
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2228112
Vendor Advisory
https://www.postgresql.org/support/security/CVE-2023-39418/
23
/ 100
low-risk
Severity
11/34 · Low
Exploitability
2/34 · Minimal
Exposure
10/34 · Low