Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2023-2455

Public on 2023-05-13
Modified on 2024-01-12
Description

While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

Severity
Medium
See what this means
CVSS v3 Base Score
4.2
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 2 - Postgresql11 Extra postgresql 2023-08-07 05:59 ALAS2POSTGRESQL11-2023-001
Amazon Linux 2 - Postgresql12 Extra postgresql 2023-08-07 05:59 ALAS2POSTGRESQL12-2023-001
Amazon Linux 2 - Postgresql13 Extra postgresql 2023-08-07 05:59 ALAS2POSTGRESQL13-2023-001
Amazon Linux 2 - Postgresql14 Extra postgresql 2023-08-07 05:59 ALAS2POSTGRESQL14-2023-001
Amazon Linux 2023 postgresql15 2023-10-12 16:11 ALAS2023-2023-387
Amazon Linux 2 - Core postgresql 2024-02-15 03:52 ALAS2-2024-2462

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
NVD CVSSv3 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References

Red Hat: CVE-2023-2455 Mitre: CVE-2023-2455 FAQs regarding Amazon Linux ALAS/CVE Severity