Back to bug 2228111
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| TEJ RATHI | 2023-08-01 12:31:50 UTC | CC | security-response-team | |
| TEJ RATHI | 2023-08-01 12:32:12 UTC | CC | fjanus, hhorak, jorton, pkubat, praiskup | |
| TEJ RATHI | 2023-08-01 12:33:45 UTC | Blocks | 2228105 | |
| TEJ RATHI | 2023-08-01 12:41:08 UTC | CC | adudiak, caswilli, fjansen, hkataria, jburrell, kaycoth, kshier, nweather, psegedy, stcannon, tsasak, yguenane | |
| TEJ RATHI | 2023-08-01 12:44:19 UTC | Depends On | 2228116, 2228118, 2228121, 2228115, 2228117, 2228119, 2228120 | |
| TEJ RATHI | 2023-08-01 12:47:45 UTC | CC | aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, eaguilar, ebaron, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ivassile, iweiss, janstey, jcechace, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, kverlaen, lbacciot, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, nboldt, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, scorneli, sdouglas, sfroberg, skontopo, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang | |
| TEJ RATHI | 2023-08-01 12:54:10 UTC | CC | nboldt, scorneli | |
| TEJ RATHI | 2023-08-10 05:24:36 UTC | CC | aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, eaguilar, ebaron, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ivassile, iweiss, janstey, jcechace, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, kverlaen, lbacciot, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sdouglas, sfroberg, skontopo, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang | |
| TEJ RATHI | 2023-08-11 05:48:07 UTC | Fixed In Version | postgresql 11.21, postgresql 12.16, postgresql 13.12, postgresql 14.9, postgresql 15.4 | |
| TEJ RATHI | 2023-08-11 05:52:52 UTC | Depends On | 2231246, 2231245 | |
| TEJ RATHI | 2023-08-11 06:00:30 UTC | Deadline | 2023-08-10 | |
| Group | security, qe_staff | |||
| Summary | EMBARGOED TRIAGE-CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection | TRIAGE-CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection | ||
| TEJ RATHI | 2023-08-11 06:01:01 UTC | Summary | TRIAGE-CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection | CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection |
| Alias | TRIAGE-CVE-2023-39417 | CVE-2023-39417 | ||
| TEJ RATHI | 2023-08-11 09:49:15 UTC | Doc Text | A SQL Injection vulnerability was found in PostgreSQL in extension script if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator having installed files of a vulnerable, trusted, non-bundled extension, then an attacker having database-level CREATE privilege could exploit this vulnerability by executing arbitrary code as the bootstrap superuser. | |
| RaTasha Tillery-Smith | 2023-08-11 12:15:21 UTC | Doc Text | A SQL Injection vulnerability was found in PostgreSQL in extension script if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator having installed files of a vulnerable, trusted, non-bundled extension, then an attacker having database-level CREATE privilege could exploit this vulnerability by executing arbitrary code as the bootstrap superuser. | IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser. |
Back to bug 2228111