Rapid7 Vulnerability & Exploit Database

PostgreSQL: CVE-2023-39418: MERGE fails to enforce UPDATE or SELECT row security policies

Free InsightVM Trial No Credit Card Necessary
Watch Demo See how it all works
Back to Search

PostgreSQL: CVE-2023-39418: MERGE fails to enforce UPDATE or SELECT row security policies

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
08/11/2023
Created
08/11/2023
Added
08/11/2023
Modified
08/21/2023

Description

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

Solution(s)

  • postgres-upgrade-15_4

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;