First published: Tue Oct 31 2023(Updated: )
A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
PostgreSQL PostgreSQL | >=11.0<11.22 | |
PostgreSQL PostgreSQL | >=12.0<12.17 | |
PostgreSQL PostgreSQL | >=13.0<13.13 | |
PostgreSQL PostgreSQL | >=14.0<14.10 | |
PostgreSQL PostgreSQL | >=15.0<15.5 | |
PostgreSQL PostgreSQL | =16.0 | |
Redhat Codeready Linux Builder Eus | =9.2 | |
Redhat Codeready Linux Builder Eus For Power Little Endian Eus | =9.0_ppc64le | |
Redhat Codeready Linux Builder Eus For Power Little Endian Eus | =9.2_ppc64le | |
Redhat Codeready Linux Builder For Arm64 Eus | =8.6_aarch64 | |
Redhat Codeready Linux Builder For Arm64 Eus | =9.0_aarch64 | |
Redhat Codeready Linux Builder For Arm64 Eus | =9.2_aarch64 | |
Redhat Codeready Linux Builder For Ibm Z Systems Eus | =9.0_s390x | |
Redhat Codeready Linux Builder For Ibm Z Systems Eus | =9.2_s390x | |
Redhat Codeready Linux Builder For Power Little Endian Eus | =9.0_ppc64le | |
Redhat Codeready Linux Builder For Power Little Endian Eus | =9.2_ppc64le | |
Redhat Software Collections | =1.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux | =9.0 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Eus | =8.8 | |
Redhat Enterprise Linux Eus | =9.0 | |
Redhat Enterprise Linux Eus | =9.2 | |
Redhat Enterprise Linux For Arm 64 | =8.0 | |
Redhat Enterprise Linux For Arm 64 | =8.8_aarch64 | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.6_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.8_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =9.0_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =9.2_s390x | |
Redhat Enterprise Linux For Power Little Endian | =8.0_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.6_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.8_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =9.0_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =9.2_ppc64le | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.6 | |
Redhat Enterprise Linux Server Aus | =9.2 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
redhat/PostgreSQL | <16.1 | 16.1 |
redhat/PostgreSQL | <15.5 | 15.5 |
redhat/PostgreSQL | <14.10 | 14.10 |
redhat/PostgreSQL | <13.13 | 13.13 |
redhat/PostgreSQL | <12.17 | 12.17 |
redhat/PostgreSQL | <11.22 | 11.22 |
ubuntu/postgresql-10 | <10.23-0ubuntu0.18.04.2+ | 10.23-0ubuntu0.18.04.2+ |
ubuntu/postgresql-12 | <12.17-0ubuntu0.20.04.1 | 12.17-0ubuntu0.20.04.1 |
ubuntu/postgresql-12 | <12.17 | 12.17 |
ubuntu/postgresql-14 | <14.10-0ubuntu0.22.04.1 | 14.10-0ubuntu0.22.04.1 |
ubuntu/postgresql-14 | <14.10 | 14.10 |
ubuntu/postgresql-15 | <15.5-0ubuntu0.23.04.1 | 15.5-0ubuntu0.23.04.1 |
ubuntu/postgresql-15 | <15.5-0ubuntu0.23.10.1 | 15.5-0ubuntu0.23.10.1 |
ubuntu/postgresql-15 | <15.5 | 15.5 |
ubuntu/postgresql-16 | <16.1 | 16.1 |
debian/postgresql-13 | 13.16-0+deb11u1 | |
debian/postgresql-15 | 15.8-0+deb12u1 | |
debian/postgresql-16 | 16.4-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-5868 is a vulnerability that allows memory disclosure in aggregate function calls.
The software affected by CVE-2023-5868 includes PostgreSQL versions 11.16-0+deb10u1, 13.11-0+deb11u1, 15.3-0+deb12u1, 16.1-1, and Red Hat PostgreSQL versions 16.1, 15.5, 14.10, 13.13, 12.17, and 11.22. It also affects Ubuntu PostgreSQL versions 14.10-0ubuntu0.22.04.1, 14.10, 12.17-0ubuntu0.20.04.1, 12.17, 15.5, 15.5-0ubuntu0.23.04.1, and 15.5-0ubuntu0.23.10.1.
CVE-2023-5868 has a severity level of medium.
To fix the CVE-2023-5868 vulnerability, you should update your PostgreSQL installation to a version that includes the necessary security patches. Please refer to the official PostgreSQL website and your OS package manager for the latest updates and instructions.
You can find more information about CVE-2023-5868 on the official PostgreSQL website, the Debian Security Tracker, and the provided references.