Bug 2247168 (CVE-2023-5868)
Summary: | CVE-2023-5868 postgresql: Memory disclosure in aggregate function calls | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Avinash Hanwate <ahanwate> |
Component: | vulnerability | Assignee: | Product Security <prodsec-ir-bot> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adudiak, caswilli, fjansen, fjanus, hhorak, hkataria, jorton, kaycoth, kshier, luizcosta, mcascell, nweather, orabin, psegedy, security-response-team, stcannon, trathi, yguenane |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | PostgreSQL 16.1, PostgreSQL 15.5, PostgreSQL 14.10, PostgreSQL 13.13, PostgreSQL 12.17, PostgreSQL 11.22 | Doc Type: | If docs needed, set a value |
Doc Text: |
A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2249041, 2249042, 2249043, 2249044, 2249045, 2249046, 2248842, 2248844, 2249777 | ||
Bug Blocks: | 2247166 |
Description
Avinash Hanwate
2023-10-31 04:09:29 UTC
This CVE is public now (lifting embargo...) https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/ Created mingw-postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249042] Created postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249041] Created postgresql:12/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249043] Created postgresql:13/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249044] Created postgresql:14/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249045] Created postgresql:15/postgresql tracking bugs for this issue: Affects: fedora-all [bug 2249046] This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:7545 https://access.redhat.com/errata/RHSA-2023:7545 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7579 https://access.redhat.com/errata/RHSA-2023:7579 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:7580 https://access.redhat.com/errata/RHSA-2023:7580 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7581 https://access.redhat.com/errata/RHSA-2023:7581 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7616 https://access.redhat.com/errata/RHSA-2023:7616 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7656 https://access.redhat.com/errata/RHSA-2023:7656 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Advanced Update Support Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions Red Hat Enterprise Linux 8.2 Telecommunications Update Service Via RHSA-2023:7667 https://access.redhat.com/errata/RHSA-2023:7667 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:7666 https://access.redhat.com/errata/RHSA-2023:7666 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:7694 https://access.redhat.com/errata/RHSA-2023:7694 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions Red Hat Enterprise Linux 8.4 Telecommunications Update Service Via RHSA-2023:7695 https://access.redhat.com/errata/RHSA-2023:7695 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7714 https://access.redhat.com/errata/RHSA-2023:7714 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:7770 https://access.redhat.com/errata/RHSA-2023:7770 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:7772 https://access.redhat.com/errata/RHSA-2023:7772 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7784 https://access.redhat.com/errata/RHSA-2023:7784 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:7785 https://access.redhat.com/errata/RHSA-2023:7785 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7885 https://access.redhat.com/errata/RHSA-2023:7885 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7883 https://access.redhat.com/errata/RHSA-2023:7883 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7884 https://access.redhat.com/errata/RHSA-2023:7884 This issue has been addressed in the following products: RHACS-3.74-RHEL-8 Via RHSA-2024:0304 https://access.redhat.com/errata/RHSA-2024:0304 This issue has been addressed in the following products: RHACS-4.1-RHEL-8 Via RHSA-2024:0332 https://access.redhat.com/errata/RHSA-2024:0332 This issue has been addressed in the following products: Red Hat Advanced Cluster Security 4.2 Via RHSA-2024:0337 https://access.redhat.com/errata/RHSA-2024:0337 |