CVE-2023-5869

Description

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

How to fix CVE-2023-5869

To remediate CVE-2023-5869, upgrade the affected package to a fixed version below.

• —upgrade to 14.10-r0 or later
• —upgrade to 15.5-r0 or later
• —upgrade to 16.1-r0 or later
• —upgrade to 11.22.0 or later
• —upgrade to 13.13-0+deb11u1 or later
• —upgrade to 15.5-0+deb12u1 or later

Is CVE-2023-5869 being exploited?

Low — EPSS is 1.6%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 14.10-r0
• from 0, < 15.5-r0
• from 0, < 16.1-r0
• >= 11.0.0, < 11.22.0, >= 12.0.0, < 12.17.0, >= 13.0.0, < 13.13.0, >= 14.0.0, < 14.10.0, >= 15.0.0, < 15.5.0, >= 16.0.0, < 16.0.1
• from 0, < 13.13-0+deb11u1
• from 0, < 15.5-0+deb12u1

CVSS scores

References (38)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2023-5869
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2023-5869
• WEBaccess.redhat.com/errata/RHSA-2023:7545
• WEBaccess.redhat.com/errata/RHSA-2023:7579
• WEB