VuXML ID | Description |
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
51436b4c-1250-11dd-bab7-0016179b2dd5 | postgresql -- multiple vulnerabilities
The PostgreSQL developers report:
PostgreSQL allows users to create indexes on the results of
user-defined functions, known as "expression indexes". This provided
two vulnerabilities to privilege escalation: (1) index functions
were executed as the superuser and not the table owner during VACUUM
and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION
were permitted within index functions. Both of these holes have now
been closed.
PostgreSQL allowed malicious users to initiate a denial-of-service
by passing certain regular expressions in SQL queries. First, users
could create infinite loops using some specific regular expressions.
Second, certain complex regular expressions could consume excessive
amounts of memory. Third, out-of-range backref numbers could be used
to crash the backend.
DBLink functions combined with local trust or ident authentication
could be used by a malicious user to gain superuser privileges. This
issue has been fixed, and does not affect users who have not
installed DBLink (an optional module), or who are using password
authentication for local access. This same problem was addressed in
the previous release cycle, but that patch failed to close all forms
of the loophole.
Discovery 2008-01-06 Entry 2008-04-24 postgresql
postgresql-server
ge 7.3 lt 7.3.21
ge 7.4 lt 7.4.19
ge 8.0 lt 8.0.15
ge 8.1 lt 8.1.11
ge 8.2 lt 8.2.6
CVE-2007-6600
CVE-2007-4772
CVE-2007-6067
CVE-2007-4769
CVE-2007-6601
27163
http://www.postgresql.org/about/news.905
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
e050119b-3856-11df-b2b2-002170daae37 | postgresql -- bitsubstr overflow
BugTraq reports:
PostgreSQL is prone to a buffer-overflow
vulnerability because the application fails to
perform adequate boundary checks on user-supplied
data.
Attackers can exploit this issue to execute
arbitrary code with elevated privileges or
crash the affected application.
Discovery 2010-01-27 Entry 2010-03-25 postgresql-server
ge 7.4 lt 7.4.28
ge 8.0 lt 8.0.24
ge 8.1 lt 8.1.20
ge 8.2 lt 8.2.16
ge 8.3 lt 8.3.10
ge 8.4 lt 8.4.3
37973
CVE-2010-0442
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
e7bc5600-eaa0-11de-bd9c-00215c6a37bb | postgresql -- multiple vulnerabilities
PostgreSQL project reports:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23,
8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9,
and 8.4.x before 8.4.2 does not properly handle a '\0' character
in a domain name in the subject's Common Name (CN) field of an
X.509 certificate, which (1) allows man-in-the-middle attackers
to spoof arbitrary SSL-based PostgreSQL servers via a crafted
server certificate issued by a legitimate Certification Authority,
and (2) allows remote attackers to bypass intended client-hostname
restrictions via a crafted client certificate issued by a legitimate
Certification Authority, a related issue to CVE-2009-2408.
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23,
8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9,
and 8.4.x before 8.4.2 does not properly manage session-local
state during execution of an index function by a database
superuser, which allows remote authenticated users to gain
privileges via a table with crafted index functions, as
demonstrated by functions that modify (1) search_path or
(2) a prepared statement, a related issue to CVE-2007-6600
and CVE-2009-3230.
Discovery 2009-11-20 Entry 2009-12-17 postgresql-client
postgresql-server
ge 7.4 lt 7.4.27
ge 8.0 lt 8.0.23
ge 8.1 lt 8.1.19
ge 8.2 lt 8.2.15
ge 8.3 lt 8.3.9
ge 8.4 lt 8.4.2
CVE-2009-4034
CVE-2009-4136
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
59a43a73-3786-11ee-94b4-6cc21735f730 | postgresql-server -- MERGE fails to enforce UPDATE or SELECT row security policies
PostgreSQL Project reports
PostgreSQL 15 introduced the MERGE command, which fails to test
new rows against row security policies defined for UPDATE and
SELECT. If UPDATE and SELECT policies forbid some row that
INSERT policies do not forbid, a user could store such rows.
Subsequent consequences are application-dependent. This
affects only databases that have used CREATE POLICY to define
a row security policy.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 15.4
CVE-2023-39418
https://www.postgresql.org/support/security/CVE-2023-39418/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
42d42090-9a4d-11e3-b029-08002798f6ff | PostgreSQL -- multiple privilege issues
PostgreSQL Project reports:
This update fixes CVE-2014-0060, in which PostgreSQL did not
properly enforce the WITH ADMIN OPTION permission for ROLE management.
Before this fix, any member of a ROLE was able to grant others access
to the same ROLE regardless if the member was given the WITH ADMIN
OPTION permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.
With this release, we are also alerting users to a known security hole
that allows other users on the same machine to gain access to an
operating system account while it is doing "make check":
CVE-2014-0067. "Make check" is normally part of building PostgreSQL
from source code. As it is not possible to fix this issue without
causing significant issues to our testing infrastructure, a patch will
be released separately and publicly. Until then, users are strongly
advised not to run "make check" on machines where untrusted users have
accounts.
Discovery 2014-02-20 Entry 2014-02-20 postgresql-server
< 8.4.20
ge 9.0.0 lt 9.0.16
ge 9.1.0 lt 9.1.12
ge 9.2.0 lt 9.2.7
ge 9.3.0 lt 9.3.3
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066
CVE-2014-0067
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|