Bug 2228111 (CVE-2023-39417) - CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection
Summary: CVE-2023-39417 postgresql: extension script @substitutions@ within quoting al...
Keywords:
Status: NEW
Alias: CVE-2023-39417
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2228115 2228116 2228117 2228118 2228119 2228120 2228121 2231245 2231246
Blocks: 2228105
TreeView+ depends on / blocked
 
Reported: 2023-08-01 12:31 UTC by TEJ RATHI
Modified: 2024-03-18 12:56 UTC (History)
18 users (show)

Fixed In Version: postgresql 11.21, postgresql 12.16, postgresql 13.12, postgresql 14.9, postgresql 15.4
Doc Type: If docs needed, set a value
Doc Text:
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:7618 0 None None None 2023-11-30 16:04:10 UTC
Red Hat Product Errata RHBA-2023:7774 0 None None None 2023-12-13 09:52:07 UTC
Red Hat Product Errata RHBA-2023:7779 0 None None None 2023-12-13 14:34:43 UTC
Red Hat Product Errata RHBA-2024:0031 0 None None None 2024-01-02 13:43:38 UTC
Red Hat Product Errata RHBA-2024:0063 0 None None None 2024-01-04 07:36:04 UTC
Red Hat Product Errata RHBA-2024:0099 0 None None None 2024-01-09 16:22:56 UTC
Red Hat Product Errata RHBA-2024:0109 0 None None None 2024-01-10 08:29:45 UTC
Red Hat Product Errata RHSA-2023:7545 0 None None None 2023-11-28 15:08:21 UTC
Red Hat Product Errata RHSA-2023:7579 0 None None None 2023-11-29 14:07:21 UTC
Red Hat Product Errata RHSA-2023:7580 0 None None None 2023-11-29 14:10:23 UTC
Red Hat Product Errata RHSA-2023:7581 0 None None None 2023-11-29 14:11:35 UTC
Red Hat Product Errata RHSA-2023:7616 0 None None None 2023-11-30 14:57:04 UTC
Red Hat Product Errata RHSA-2023:7656 0 None None None 2023-12-05 16:03:44 UTC
Red Hat Product Errata RHSA-2023:7666 0 None None None 2023-12-06 09:48:13 UTC
Red Hat Product Errata RHSA-2023:7667 0 None None None 2023-12-06 09:47:16 UTC
Red Hat Product Errata RHSA-2023:7694 0 None None None 2023-12-07 08:20:26 UTC
Red Hat Product Errata RHSA-2023:7695 0 None None None 2023-12-07 08:20:52 UTC
Red Hat Product Errata RHSA-2023:7714 0 None None None 2023-12-11 09:49:28 UTC
Red Hat Product Errata RHSA-2023:7770 0 None None None 2023-12-13 08:02:16 UTC
Red Hat Product Errata RHSA-2023:7772 0 None None None 2023-12-13 08:02:44 UTC
Red Hat Product Errata RHSA-2023:7784 0 None None None 2023-12-13 15:31:15 UTC
Red Hat Product Errata RHSA-2023:7785 0 None None None 2023-12-13 15:31:29 UTC
Red Hat Product Errata RHSA-2023:7883 0 None None None 2023-12-20 10:50:18 UTC
Red Hat Product Errata RHSA-2023:7884 0 None None None 2023-12-20 10:50:42 UTC
Red Hat Product Errata RHSA-2023:7885 0 None None None 2023-12-20 10:50:08 UTC
Red Hat Product Errata RHSA-2024:0304 0 None None None 2024-01-18 20:42:09 UTC
Red Hat Product Errata RHSA-2024:0332 0 None None None 2024-01-22 18:54:21 UTC
Red Hat Product Errata RHSA-2024:0337 0 None None None 2024-01-22 20:55:27 UTC

Description TEJ RATHI 2023-08-01 12:31:50 UTC 
An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or "").  No bundled extension is vulnerable.  Vulnerable uses do appear in a documentation example and in non-bundled extensions.  Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

Supported, Vulnerable Versions: 11 - 15.
Comment 4 TEJ RATHI 2023-08-11 06:00:30 UTC 
This CVE is now public - https://www.postgresql.org/support/security/CVE-2023-39417
Comment 5 errata-xmlrpc 2023-11-28 15:08:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:7545 https://access.redhat.com/errata/RHSA-2023:7545
Comment 6 errata-xmlrpc 2023-11-29 14:07:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7579 https://access.redhat.com/errata/RHSA-2023:7579
Comment 7 errata-xmlrpc 2023-11-29 14:10:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7580 https://access.redhat.com/errata/RHSA-2023:7580
Comment 8 errata-xmlrpc 2023-11-29 14:11:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7581 https://access.redhat.com/errata/RHSA-2023:7581
Comment 9 errata-xmlrpc 2023-11-30 14:57:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7616 https://access.redhat.com/errata/RHSA-2023:7616
Comment 11 errata-xmlrpc 2023-12-05 16:03:41 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7656 https://access.redhat.com/errata/RHSA-2023:7656
Comment 12 errata-xmlrpc 2023-12-06 09:47:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2023:7667 https://access.redhat.com/errata/RHSA-2023:7667
Comment 13 errata-xmlrpc 2023-12-06 09:48:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7666 https://access.redhat.com/errata/RHSA-2023:7666
Comment 14 errata-xmlrpc 2023-12-07 08:20:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7694 https://access.redhat.com/errata/RHSA-2023:7694
Comment 15 errata-xmlrpc 2023-12-07 08:20:49 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2023:7695 https://access.redhat.com/errata/RHSA-2023:7695
Comment 16 errata-xmlrpc 2023-12-11 09:49:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7714 https://access.redhat.com/errata/RHSA-2023:7714
Comment 17 errata-xmlrpc 2023-12-13 08:02:14 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:7770 https://access.redhat.com/errata/RHSA-2023:7770
Comment 18 errata-xmlrpc 2023-12-13 08:02:41 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2023:7772 https://access.redhat.com/errata/RHSA-2023:7772
Comment 19 errata-xmlrpc 2023-12-13 15:31:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7784 https://access.redhat.com/errata/RHSA-2023:7784
Comment 20 errata-xmlrpc 2023-12-13 15:31:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:7785 https://access.redhat.com/errata/RHSA-2023:7785
Comment 21 errata-xmlrpc 2023-12-20 10:50:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7885 https://access.redhat.com/errata/RHSA-2023:7885
Comment 22 errata-xmlrpc 2023-12-20 10:50:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7883 https://access.redhat.com/errata/RHSA-2023:7883
Comment 23 errata-xmlrpc 2023-12-20 10:50:40 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7884 https://access.redhat.com/errata/RHSA-2023:7884
Comment 25 errata-xmlrpc 2024-01-18 20:42:06 UTC 
This issue has been addressed in the following products:

  RHACS-3.74-RHEL-8

Via RHSA-2024:0304 https://access.redhat.com/errata/RHSA-2024:0304
Comment 26 errata-xmlrpc 2024-01-22 18:54:19 UTC 
This issue has been addressed in the following products:

  RHACS-4.1-RHEL-8

Via RHSA-2024:0332 https://access.redhat.com/errata/RHSA-2024:0332
Comment 27 errata-xmlrpc 2024-01-22 20:55:24 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Security 4.2

Via RHSA-2024:0337 https://access.redhat.com/errata/RHSA-2024:0337
Note You need to log in before you can comment on or make changes to this bug.