{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"libpq security update", "category":"general", "title":"Synopsis" }, { "text":"An update for libpq is now available for openEuler-22.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or interface.\n\n\n\nSecurity Fix(es):\n\n** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).(CVE-2020-21469)\n\nschema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.(CVE-2023-2454)\n\nRow security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.(CVE-2023-2455)\n\nIN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.(CVE-2023-39417)\n\nA vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.(CVE-2023-39418)", "category":"general", "title":"Description" }, { "text":"An update for libpq is now available for openEuler-22.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"libpq", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2023-1567", "category":"self", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" }, { "summary":"CVE-2020-21469", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2020-21469&packageName=libpq" }, { "summary":"CVE-2023-2454", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-2454&packageName=libpq" }, { "summary":"CVE-2023-2455", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-2455&packageName=libpq" }, { "summary":"CVE-2023-39417", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-39417&packageName=libpq" }, { "summary":"CVE-2023-39418", "category":"self", "url":"https://www.openeuler.org/en/security/cve/detail?cveId=CVE-2023-39418&packageName=libpq" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2020-21469" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2454" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-2455" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39417" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2023-39418" }, { "summary":"openEuler-SA-2023-1567 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2023/csaf-openeuler-sa-2023-1567.json" } ], "title":"An update for libpq is now available for openEuler-22.03-LTS-SP1", "tracking":{ "initial_release_date":"2023-09-02T14:22:34+08:00", "revision_history":[ { "date":"2023-09-02T14:22:34+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T14:22:34+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T14:22:34+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T14:22:34+08:00", "id":"openEuler-SA-2023-1567", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"openEuler-22.03-LTS-SP1", "name":"openEuler-22.03-LTS-SP1" }, "name":"openEuler-22.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"aarch64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-debugsource-13.12-1.oe2203sp1.aarch64.rpm", "name":"libpq-debugsource-13.12-1.oe2203sp1.aarch64.rpm" }, "name":"libpq-debugsource-13.12-1.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-13.12-1.oe2203sp1.aarch64.rpm", "name":"libpq-13.12-1.oe2203sp1.aarch64.rpm" }, "name":"libpq-13.12-1.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-debuginfo-13.12-1.oe2203sp1.aarch64.rpm", "name":"libpq-debuginfo-13.12-1.oe2203sp1.aarch64.rpm" }, "name":"libpq-debuginfo-13.12-1.oe2203sp1.aarch64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-devel-13.12-1.oe2203sp1.aarch64.rpm", "name":"libpq-devel-13.12-1.oe2203sp1.aarch64.rpm" }, "name":"libpq-devel-13.12-1.oe2203sp1.aarch64.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-13.12-1.oe2203sp1.src.rpm", "name":"libpq-13.12-1.oe2203sp1.src.rpm" }, "name":"libpq-13.12-1.oe2203sp1.src.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"x86_64", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-13.12-1.oe2203sp1.x86_64.rpm", "name":"libpq-13.12-1.oe2203sp1.x86_64.rpm" }, "name":"libpq-13.12-1.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-debugsource-13.12-1.oe2203sp1.x86_64.rpm", "name":"libpq-debugsource-13.12-1.oe2203sp1.x86_64.rpm" }, "name":"libpq-debugsource-13.12-1.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-debuginfo-13.12-1.oe2203sp1.x86_64.rpm", "name":"libpq-debuginfo-13.12-1.oe2203sp1.x86_64.rpm" }, "name":"libpq-debuginfo-13.12-1.oe2203sp1.x86_64.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:22.03-LTS-SP1" }, "product_id":"libpq-devel-13.12-1.oe2203sp1.x86_64.rpm", "name":"libpq-devel-13.12-1.oe2203sp1.x86_64.rpm" }, "name":"libpq-devel-13.12-1.oe2203sp1.x86_64.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-debugsource-13.12-1.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "name":"libpq-debugsource-13.12-1.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-13.12-1.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "name":"libpq-13.12-1.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-debuginfo-13.12-1.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "name":"libpq-debuginfo-13.12-1.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-devel-13.12-1.oe2203sp1.aarch64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "name":"libpq-devel-13.12-1.oe2203sp1.aarch64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-13.12-1.oe2203sp1.src.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "name":"libpq-13.12-1.oe2203sp1.src as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-13.12-1.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "name":"libpq-13.12-1.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-debugsource-13.12-1.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "name":"libpq-debugsource-13.12-1.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-debuginfo-13.12-1.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "name":"libpq-debuginfo-13.12-1.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-22.03-LTS-SP1", "product_reference":"libpq-devel-13.12-1.oe2203sp1.x86_64.rpm", "full_product_name":{ "product_id":"openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64", "name":"libpq-devel-13.12-1.oe2203sp1.x86_64 as a component of openEuler-22.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2020-21469", "notes":[ { "text":"** DISPUTED ** An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.5, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2020-21469" }, { "cve":"CVE-2023-2454", "notes":[ { "text":"schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.2, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2023-2454" }, { "cve":"CVE-2023-2455", "notes":[ { "text":"Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":5.4, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-2455" }, { "cve":"CVE-2023-39417", "notes":[ { "text":"IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, , or ). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":8.8, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2023-39417" }, { "cve":"CVE-2023-39418", "notes":[ { "text":"A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] }, "remediations":[ { "product_ids":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ], "details":"libpq security update", "category":"vendor_fix", "url":"https://www.openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2023-1567" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"MEDIUM", "baseScore":4.3, "vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version":"3.1" }, "products":[ "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.aarch64", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.src", "openEuler-22.03-LTS-SP1:libpq-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debugsource-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-debuginfo-13.12-1.oe2203sp1.x86_64", "openEuler-22.03-LTS-SP1:libpq-devel-13.12-1.oe2203sp1.x86_64" ] } ], "threats":[ { "details":"Medium", "category":"impact" } ], "title":"CVE-2023-39418" } ] }