SQL Injection Affecting postgresql-contrib-debuginfo package, versions <0:12.17-1.module+el8.9.0+1603+444d1b54


Severity

Recommended
0.0
high
0
10

Based on Rocky Linux security rating.

Threat Intelligence

EPSS
0.37% (73rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-ROCKY8-POSTGRESQLCONTRIBDEBUGINFO-6102062
  • published7 Dec 2023
  • disclosed11 Aug 2023

Introduced: 11 Aug 2023

CVE-2023-39417  (opens in a new tab)
CWE-89  (opens in a new tab)

How to fix?

Upgrade Rocky-Linux:8 postgresql-contrib-debuginfo to version 0:12.17-1.module+el8.9.0+1603+444d1b54 or higher.
This issue was patched in RLSA-2023:7714.

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-contrib-debuginfo package and not the postgresql-contrib-debuginfo package as distributed by Rocky-Linux. See How to fix? for Rocky-Linux:8 relevant fixed versions and status.

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

CVSS Scores

version 3.1