All errata/c10f1/ALT-PU-2023-5198-3
ALT-PU-2023-5198-3

Package update postgresql11 in branch c10f1

Version11.21-alt0.p10.1
Task#328071
Published2023-08-29
Max severityHIGH
Severity:

Closed issues (6)

BDU:2023-03024
MEDIUM4.2

Уязвимость компонента Schema Handler системы управления базами данных PostgreSQL, позволяющая нарушителю обойти ограничения безопасности

Published: 2023-06-05Modified: 2025-08-19
CVSS 3.xMEDIUM 4.2
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CVSS 2.0LOW 3.6
CVSS:2.0/AV:N/AC:H/Au:S/C:P/I:P/A:N
References
BDU:2023-03247
HIGH7.2

Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код

Published: 2023-06-20Modified: 2025-03-19
CVSS 3.xHIGH 7.2
CVSS:3.x/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 8.3
CVSS:2.0/AV:N/AC:L/Au:M/C:C/I:C/A:C
References
BDU:2023-04767
HIGH7.5

Уязвимость системы управления базами данных PostgreSQL, связанная с возможностью SQL-инъекций в расширениях, позволяющая нарушителю выполнять произвольный SQL-запрос к базе данных

Published: 2023-08-21Modified: 2025-03-19
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 2.0HIGH 7.1
CVSS:2.0/AV:N/AC:H/Au:S/C:C/I:C/A:C
References
CVE-2023-2454
HIGH7.2

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.

Published: 2023-06-09Modified: 2025-01-06
CVSS 3.xHIGH 7.2
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
References
CVE-2023-2455
MEDIUM5.4

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Published: 2023-06-09Modified: 2025-01-06
CVSS 3.xMEDIUM 5.4
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
References
CVE-2023-39417
HIGH8.8

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Published: 2023-08-11Modified: 2024-11-21
CVSS 3.xHIGH 8.8
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References