CVE-2023-39417: Postgresql: extension script @substitutions@ within quoting allow sql injection
First published: Tue Aug 01 2023(Updated: )
An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions. Supported, Vulnerable Versions: 11 - 15.
Credit: secalert@redhat.com secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ubuntu/postgresql-14 | <14.9-0ubuntu0.22.04.1 | 14.9-0ubuntu0.22.04.1 |
| ubuntu/postgresql-12 | <12.16-0ubuntu0.20.04.1 | 12.16-0ubuntu0.20.04.1 |
| ubuntu/postgresql-9.5 | <9.5.25-0ubuntu0.16.04.1+ | 9.5.25-0ubuntu0.16.04.1+ |
| ubuntu/postgresql-15 | <15.4-1 | 15.4-1 |
| ubuntu/postgresql-15 | <15.4-0ubuntu0.23.04.1 | 15.4-0ubuntu0.23.04.1 |
| ubuntu/postgresql-15 | <15.4-1ubuntu1 | 15.4-1ubuntu1 |
| PostgreSQL PostgreSQL | >=11.0<11.21 | |
| PostgreSQL PostgreSQL | >=12.0<12.16 | |
| PostgreSQL PostgreSQL | >=13.0<13.12 | |
| PostgreSQL PostgreSQL | >=14.0<14.9 | |
| PostgreSQL PostgreSQL | >=15.0<15.4 | |
| Redhat Software Collections | ||
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =11.0 | |
| Debian Debian Linux | =12.0 | |
| redhat/postgresql | <11.21 | 11.21 |
| redhat/postgresql | <12.16 | 12.16 |
| redhat/postgresql | <13.12 | 13.12 |
| redhat/postgresql | <14.9 | 14.9 |
| redhat/postgresql | <15.4 | 15.4 |
| debian/postgresql-11 | <=11.16-0+deb10u1 | 11.22-0+deb10u2 |
| debian/postgresql-13 | 13.13-0+deb11u1 13.14-0+deb11u1 | |
| debian/postgresql-15 | 15.5-0+deb12u1 15.6-0+deb12u1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2023:7545
- https://access.redhat.com/errata/RHSA-2023:7579
- https://access.redhat.com/errata/RHSA-2023:7580
- https://access.redhat.com/errata/RHSA-2023:7581
- https://access.redhat.com/errata/RHSA-2023:7616
- https://access.redhat.com/errata/RHSA-2023:7656
- https://access.redhat.com/errata/RHSA-2023:7666
- https://access.redhat.com/errata/RHSA-2023:7667
- https://access.redhat.com/errata/RHSA-2023:7694
- https://access.redhat.com/errata/RHSA-2023:7695
- https://access.redhat.com/errata/RHSA-2023:7714
- https://access.redhat.com/errata/RHSA-2023:7770
- https://access.redhat.com/errata/RHSA-2023:7772
- https://access.redhat.com/errata/RHSA-2023:7784
- https://access.redhat.com/errata/RHSA-2023:7785
- https://access.redhat.com/errata/RHSA-2023:7883
- https://access.redhat.com/errata/RHSA-2023:7884
- https://access.redhat.com/errata/RHSA-2023:7885
- https://access.redhat.com/errata/RHSA-2024:0304
- https://access.redhat.com/errata/RHSA-2024:0332
- https://access.redhat.com/errata/RHSA-2024:0337
- https://access.redhat.com/security/cve/CVE-2023-39417
- https://bugzilla.redhat.com/show_bug.cgi?id=2228111
- https://lists.debian.org/debian-lts-announce/2023/10/msg00003.html
- https://security.netapp.com/advisory/ntap-20230915-0002/
- https://www.debian.org/security/2023/dsa-5553
- https://www.debian.org/security/2023/dsa-5554
- https://www.postgresql.org/support/security/CVE-2023-39417
- https://launchpad.net/bugs/cve/CVE-2023-39417
- https://exchange.xforce.ibmcloud.com/vulnerabilities/263270
- https://www.ibm.com/support/pages/node/7114419 (Advisory)
- https://www.postgresql.org/support/security/CVE-2023-39417/
- https://www.postgresql.org/about/news/postgresql-154-149-1312-1216-1121-and-postgresql-16-beta-3-released-2689/
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b1b585e0fc3dd195bc2e338c80760bede08de5f1
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=919ebb023e74546c6293352556365091c5402366
- https://security-tracker.debian.org/tracker/CVE-2023-39417
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=de494ec14f6bd7f2676623a5934723a6c8ba51c2 (REL_15_4)
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=b1b585e0fc3dd195bc2e338c80760bede08de5f1 (REL_13_12)
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=919ebb023e74546c6293352556365091c5402366 (REL_11_21)
- https://ubuntu.com/security/notices/USN-6296-1
- https://ubuntu.com/security/notices/USN-6366-1
- https://www.cve.org/CVERecord?id=CVE-2023-39417
- https://nvd.nist.gov/vuln/detail/CVE-2023-39417
- https://ubuntu.com/security/CVE-2023-39417
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2023-39417.
What is the severity of CVE-2023-39417?
The severity of CVE-2023-39417 is high.
Which software is affected by CVE-2023-39417?
PostgreSQL versions 11.0 to 15.4 are affected by CVE-2023-39417.
How does the SQL Injection vulnerability in PostgreSQL occur?
The SQL Injection vulnerability occurs when PostgreSQL uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ").
Are there any remedies available for CVE-2023-39417?
Yes, there are remedies available for CVE-2023-39417. Please refer to the official sources for more information.
- agent/type
- agent/first-publish-date
- agent/title
- agent/author
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- collector/ibm-support
- source/IBM
- agent/references
- agent/severity
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- collector/nvd-api
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-39417
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- version/postgresql postgresql/14.0
- version/postgresql postgresql/15.0
- vendor/redhat
- canonical/redhat software collections
- canonical/redhat enterprise linux
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/8.0
- version/debian debian linux/11.0
- version/debian debian linux/12.0
- package-manager/debian
- package-manager/redhat
- package-manager/ubuntu