CVE-2023-5868
Public on 2023-11-12
Modified on 2024-03-13
Description
Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| HAQM Linux 2 - Core | postgresql | Pending Fix | ||
| HAQM Linux 2 - Postgresql12 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL12-2024-007 | Fixed |
| HAQM Linux 2 - Postgresql13 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL13-2024-005 | Fixed |
| HAQM Linux 2 - Postgresql14 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL14-2024-004 | Fixed |
| HAQM Linux 2023 | postgresql15 | 2024-01-03 | ALAS2023-2024-464 | Fixed |
| HAQM Linux 1 | postgresql92 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| HAQM Linux | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |