- Description
- Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
- Source
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- NVD status
- Analyzed
CVSS 3.1
- Type
- Primary
- Base score
- 5.4
- Impact score
- 2.5
- Exploitability score
- 2.8
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- Severity
- MEDIUM
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- CWE-1250
- nvd@nist.gov
- NVD-CWE-noinfo
- Hype score
- Not currently trending
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "433D59A0-8811-4DDB-A9F7-D85C62F905CC",
"versionEndExcluding": "12.21",
"versionStartIncluding": "12.0"
},
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "380F8048-FBE5-4606-93A3-915CFD229317",
"versionEndExcluding": "13.17",
"versionStartIncluding": "13.0"
},
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FACF31C7-3B20-4BAE-A596-9C59D67406D8",
"versionEndExcluding": "14.14",
"versionStartIncluding": "14.0"
},
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DF12F1A2-3179-4DAC-B728-038B94954DC7",
"versionEndExcluding": "15.9",
"versionStartIncluding": "15.0"
},
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "353CBD91-FC28-4DA3-B79A-F4F4DC80FA93",
"versionEndExcluding": "16.5",
"versionStartIncluding": "16.0"
},
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DCEB2049-EB8A-4703-B3FF-FC641623ED2C",
"versionEndExcluding": "17.1",
"versionStartIncluding": "17.0"
}
],
"operator": "OR"
}
]
}
]