CVE-2023-39417

CVSS 3.1 Score 8.8 of 10 (high)

Details

Published Aug 11, 2023

Updated: Feb 16, 2024

CWE ID 89

Summary

CVE-2023-39417: A SQL Injection vulnerability exists in PostgreSQL when certain syntax, specifically @extowner@, @extschema@, or @extschema:...@, is used inside quoting constructs in extension scripts. This issue puts databases at risk if an administrator has installed vulnerable, trusted, non-bundled extensions. An attacker with database-level CREATE privileges can exploit this vulnerability to execute arbitrary code as the bootstrap superuser.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

PostgreSQL
Red Hat Enterprise Linux
Debian

Affected Vendors

Postgresql
Debian
Red Hat

Advisories, Assessments, and Mitigations

https://app.recordedfuture.com/live/sc/entity/sL1M7c
https://www.cve.org/CVERecord?id=CVE-2023-39417
https://nvd.nist.gov/vuln/detail/CVE-2023-39417

Back to Vulnerability Database