BIT-postgresql-2023-2455

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/postgresql/BIT-postgresql-2023-2455.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-postgresql-2023-2455

Aliases

CVE-2023-2455

Published

2024-03-06T11:03:24.881Z

Modified

2024-03-06T11:25:28.861Z

Summary

[none]

Details

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

References

Affected packages

Bitnami / postgresql

Package

Name: postgresql
Purl: pkg:bitnami/postgresql

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

11.0.0

Fixed

11.20.0

Introduced

12.0.0

Fixed

12.15.0

Introduced

13.0.0

Fixed

13.11.0

Introduced

14.0.0

Fixed

14.8.0

Introduced

15.0.0

Fixed

15.3.0