CVE-2023-39417

Public on 2023-08-11
Modified on 2025-04-08
Description
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

This issue requires that the administrator has installed files of a vulnerable, trusted, non-bundled extension. Considering the tradeoff between the stability of HAQM Linux and the impact of CVE-2023-39417, a fix will not be provided for postgresql in HAQM Linux 2 core at this time. Please consider migrating to postgresql13 or postgresql14 in HAQM Linux 2 Extras instead.
Severity
Important severity
Important
CVSS v3 Base Score
7.5
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
HAQM Linux 2 - Core postgresql No Fix Planned
HAQM Linux 2 - Postgresql11 Extra postgresql 2023-09-06 ALAS2POSTGRESQL11-2023-004 Fixed
HAQM Linux 2 - Postgresql12 Extra postgresql 2023-09-06 ALAS2POSTGRESQL12-2023-005 Fixed
HAQM Linux 2 - Postgresql13 Extra postgresql 2023-09-06 ALAS2POSTGRESQL13-2023-004 Fixed
HAQM Linux 2 - Postgresql14 Extra postgresql 2023-09-06 ALAS2POSTGRESQL14-2023-003 Fixed
HAQM Linux 2023 postgresql15 2023-08-31 ALAS2023-2023-322 Fixed

CVSS Scores

Score Type Score Vector
HAQM Linux CVSSv3 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD CVSSv3 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2023-39417 Mitre: CVE-2023-39417