发布时间: 2024年11月19日
修改时间: 2024年11月22日
Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
| NVD | openEuler | |
|---|---|---|
| CVSS评分 | 4.2 | 4.2 |
| Attack Vector | Network | Network |
| Attack Complexity | High | High |
| Privileges Required | Low | Low |
| User Interaction | None | None |
| Scope | Unchanged | Unchanged |
| Confidentiality | Low | Low |
| Integrity | Low | Low |
| Availability | None | None |
| 公告名 | 概要 | 发布时间 |
|---|---|---|
| KylinSec-SA-2024-4217 | postgresql security update | 2024年11月22日 |
| KylinSec-SA-2024-5006 | postgresql security update | 2024年11月22日 |
| 产品 | 包 | 状态 |
|---|---|---|
| KY3.4-5A | postgresql | Unaffected |
| KY3.5.2 | postgresql | Fixed |
| V6 | postgresql | Fixed |
