Back to bug 2228112
| Who | When | What | Removed | Added |
|---|---|---|---|---|
| TEJ RATHI | 2023-08-01 12:31:51 UTC | CC | security-response-team | |
| TEJ RATHI | 2023-08-01 12:32:25 UTC | CC | fjanus, hhorak, jorton, pkubat, praiskup | |
| TEJ RATHI | 2023-08-01 12:33:45 UTC | Blocks | 2228105 | |
| TEJ RATHI | 2023-08-01 12:40:37 UTC | CC | adudiak, caswilli, fjansen, hkataria, jburrell, kaycoth, kshier, nweather, psegedy, stcannon, tsasak, yguenane | |
| TEJ RATHI | 2023-08-01 12:43:50 UTC | Depends On | 2228113, 2228114 | |
| TEJ RATHI | 2023-08-01 12:47:14 UTC | CC | aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, eaguilar, ebaron, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ivassile, iweiss, janstey, jcechace, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, kverlaen, lbacciot, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, nboldt, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, scorneli, sdouglas, sfroberg, skontopo, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang | |
| TEJ RATHI | 2023-08-01 12:54:20 UTC | CC | nboldt, scorneli | |
| TEJ RATHI | 2023-08-10 05:26:07 UTC | CC | aazores, adupliak, aileenc, alampare, alazarot, anstephe, asoldano, ataylor, avibelli, bbaranow, bgeorges, bmaxwell, boliveir, brian.stansberry, ccranfor, cdewolf, chazlett, clement.escoffier, dandread, darran.lofthouse, dhanak, dkreling, dosoudil, drichtar, dsimansk, eaguilar, ebaron, emingora, eric.wittmann, fjuma, fmongiar, gjospin, gmalinko, gsmet, hamadhan, hbraun, ibek, ivassile, iweiss, janstey, jcechace, jkang, jmartisk, jnethert, jpallich, jpechane, jpoth, jrokos, jross, kverlaen, lbacciot, lball, lgao, lthon, matzew, max.andersen, mnovotny, mosmerov, msochure, mstefank, msvehla, nwallace, pantinor, pdelbell, pdrozd, peholase, pgallagh, pjindal, pmackay, probinso, pskopek, rguimara, rhuss, rkieley, rowaters, rruss, rstancel, rsvoboda, saroy, sbiarozk, sdouglas, sfroberg, skontopo, smaestri, sthorger, tcunning, tom.jenkinson, tqvarnst, yfang | |
| TEJ RATHI | 2023-08-11 05:45:54 UTC | Fixed In Version | postgresql 15.4 | |
| TEJ RATHI | 2023-08-11 05:59:54 UTC | Summary | EMBARGOED TRIAGE-CVE-2023-39418 postgresql: MERGE fails to enforce UPDATE or SELECT row security policies | TRIAGE-CVE-2023-39418 postgresql: MERGE fails to enforce UPDATE or SELECT row security policies |
| Deadline | 2023-08-10 | |||
| Group | qe_staff, security | |||
| TEJ RATHI | 2023-08-11 06:01:22 UTC | Alias | TRIAGE-CVE-2023-39418 | CVE-2023-39418 |
| Summary | TRIAGE-CVE-2023-39418 postgresql: MERGE fails to enforce UPDATE or SELECT row security policies | CVE-2023-39418 postgresql: MERGE fails to enforce UPDATE or SELECT row security policies | ||
| TEJ RATHI | 2023-08-11 10:14:01 UTC | Doc Text | PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy. |
|
| TEJ RATHI | 2023-08-11 10:20:19 UTC | Doc Text | PostgreSQL 15 introduced the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. This affects only databases that have used CREATE POLICY to define a row security policy. | A vulnerability was found in PostgreSQL with the use of MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. |
| TEJ RATHI | 2023-08-11 10:22:49 UTC | Doc Text | A vulnerability was found in PostgreSQL with the use of MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. Subsequent consequences are application-dependent. | A vulnerability was found in PostgreSQL with the use of MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. |
| RaTasha Tillery-Smith | 2023-08-11 12:16:46 UTC | Doc Text | A vulnerability was found in PostgreSQL with the use of MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some row that INSERT policies do not forbid, a user could store such rows. | A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows. |
Back to bug 2228112