First published: Thu Aug 17 2023(Updated: )
It was discovered that PostgreSQL incorrectly handled certain extension script substitutions. An attacker having database-level CREATE privileges can use this issue to execute arbitrary code as the bootstrap superuser. (CVE-2023-39417) It was discovered that PostgreSQL incorrectly handled the MERGE command. A remote attacker could possibly use this issue to bypass certain UPDATE and SELECT policies. This issue only affected Ubuntu 23.04. (CVE-2023-39418)
Affected Software | Affected Version | How to fix |
---|---|---|
All of | ||
ubuntu/postgresql-15 | <15.4-0ubuntu0.23.04.1 | 15.4-0ubuntu0.23.04.1 |
Ubuntu Ubuntu | =23.04 | |
All of | ||
ubuntu/postgresql-client-15 | <15.4-0ubuntu0.23.04.1 | 15.4-0ubuntu0.23.04.1 |
Ubuntu Ubuntu | =23.04 | |
All of | ||
ubuntu/postgresql-14 | <14.9-0ubuntu0.22.04.1 | 14.9-0ubuntu0.22.04.1 |
Ubuntu Ubuntu | =22.04 | |
All of | ||
ubuntu/postgresql-client-14 | <14.9-0ubuntu0.22.04.1 | 14.9-0ubuntu0.22.04.1 |
Ubuntu Ubuntu | =22.04 | |
All of | ||
ubuntu/postgresql-12 | <12.16-0ubuntu0.20.04.1 | 12.16-0ubuntu0.20.04.1 |
Ubuntu Ubuntu | =20.04 | |
All of | ||
ubuntu/postgresql-client-12 | <12.16-0ubuntu0.20.04.1 | 12.16-0ubuntu0.20.04.1 |
Ubuntu Ubuntu | =20.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2023-39417
High
An attacker with database-level CREATE privileges can use the vulnerability to execute arbitrary code as the bootstrap superuser.
PostgreSQL versions 15.4, 14.9, and 12.16 on Ubuntu 23.04, 22.04, and 20.04 are affected.
Update to the latest PostgreSQL packages provided by Ubuntu.