VYPR
Get started
← All advisories
Unrated severityNVD Advisory· Published Aug 11, 2023· Updated Mar 12, 2026

Postgresql: extension script @substitutions@ within quoting allow sql injection

CVE-2023-39417

Description

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

Affected products

17
  • Red Hat/RHACS-3.74-RHEL-8v5
    cpe:/a:redhat:advanced_cluster_security:3.74::el8
    Range: 3.74.8-9
  • Red Hat/RHACS-4.1-RHEL-8v5
    cpe:/a:redhat:advanced_cluster_security:4.1::el8
    Range: 4.1.6-6
  • Red Hat/Red Hat Advanced Cluster Security 4.2v5
    cpe:/a:redhat:advanced_cluster_security:4.2::el8
    Range: 4.2.4-7
  • Red Hat/Red Hat Enterprise Linux 8v52 versions
    cpe:/a:redhat:enterprise_linux:8::appstream+ 1 more
    • cpe:/a:redhat:enterprise_linux:8::appstreamrange: 8090020231114113548.a75119d5
    • cpe:/o:redhat:enterprise_linux:8
  • Red Hat/Red Hat Enterprise Linux 9v52 versions
    cpe:/a:redhat:enterprise_linux:9::appstream+ 1 more
    • cpe:/a:redhat:enterprise_linux:9::appstreamrange: 9030020231120082734.rhel9
    • cpe:/a:redhat:enterprise_linux:9::crbrange: 0:13.13-1.el9_3
  • Red Hat/Red Hat Enterprise Linux 8.6 Extended Update Supportv5
    cpe:/a:redhat:rhel_eus:8.6::appstream
    Range: 8060020231128165328.ad008a3a
  • Red Hat/Red Hat Enterprise Linux 8.8 Extended Update Supportv5
    cpe:/a:redhat:rhel_eus:8.8::appstream
    Range: 8080020231113134015.63b34585
  • Red Hat/Red Hat Enterprise Linux 9.0 Extended Update Supportv5
    cpe:/a:redhat:rhel_eus:9.0::appstream
    Range: 0:13.13-1.el9_0
  • Red Hat/Red Hat Enterprise Linux 9.2 Extended Update Supportv5
    cpe:/a:redhat:rhel_eus:9.2::appstream
    Range: 9020020231115020618.rhel9
  • Red Hat/Red Hat Software Collectionsv5
    cpe:/a:redhat:rhel_software_collections:3
  • Red Hat/Red Hat Software Collections for Red Hat Enterprise Linux 7v5
    cpe:/a:redhat:rhel_software_collections:3::el7
    Range: 0:13.13-1.el7
  • Red Hat/Red Hat Enterprise Linux 8.2 Update Services for SAP Solutionsv5
    cpe:/a:redhat:rhel_tus:8.2::appstream
    Range: 8020020231128165246.4cda2c84
  • Red Hat/Red Hat Enterprise Linux 8.4 Update Services for SAP Solutionsv5
    cpe:/a:redhat:rhel_tus:8.4::appstream
    Range: 8040020231127154806.522a0ee4
  • Red Hat/Red Hat Enterprise Linux 6v5
    cpe:/o:redhat:enterprise_linux:6
  • Red Hat/Red Hat Enterprise Linux 7v5
    cpe:/o:redhat:enterprise_linux:7

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

24

News mentions

1