{ "threat_severity" : "Important", "public_date" : "2023-11-09T00:00:00Z", "bugzilla" : { "description" : "postgresql: Buffer overrun from integer overflow in array modification", "id" : "2247169", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2247169" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-190", "details" : [ "A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.", "A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory." ], "acknowledgement" : "Upstream acknowledges Pedro Gallegos as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat Advanced Cluster Security 4.2", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0337", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.2::el8", "package" : "advanced-cluster-security/rhacs-central-db-rhel8:4.2.4-6" }, { "product_name" : "Red Hat Advanced Cluster Security 4.2", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0337", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.2::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:4.2.4-6" }, { "product_name" : "Red Hat Advanced Cluster Security 4.2", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0337", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.2::el8", "package" : "advanced-cluster-security/rhacs-operator-bundle:4.2.4-7" }, { "product_name" : "Red Hat Advanced Cluster Security 4.2", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0337", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.2::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-rhel8:4.2.4-6" }, { "product_name" : "Red Hat Advanced Cluster Security 4.2", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0337", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.2::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.2.4-7" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7783", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "postgresql-0:9.2.24-9.el7_9" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-11-29T00:00:00Z", "advisory" : "RHSA-2023:7581", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "postgresql:13-8090020231114113712.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-12-11T00:00:00Z", "advisory" : "RHSA-2023:7714", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "postgresql:12-8090020231128173330.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7790", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "postgresql:10-8090020231201202407.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2023-12-20T00:00:00Z", "advisory" : "RHSA-2023:7884", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "postgresql:15-8090020231114113548.a75119d5" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7778", "cpe" : "cpe:/a:redhat:rhel_e4s:8.1", "package" : "postgresql:10-8010020231130170510.c27ad7f8" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7667", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "postgresql:12-8020020231128165246.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7788", "cpe" : "cpe:/a:redhat:rhel_aus:8.2", "package" : "postgresql:10-8020020231201202149.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7667", "cpe" : "cpe:/a:redhat:rhel_tus:8.2", "package" : "postgresql:12-8020020231128165246.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7788", "cpe" : "cpe:/a:redhat:rhel_tus:8.2", "package" : "postgresql:10-8020020231201202149.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7667", "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", "package" : "postgresql:12-8020020231128165246.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7788", "cpe" : "cpe:/a:redhat:rhel_e4s:8.2", "package" : "postgresql:10-8020020231201202149.4cda2c84" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7694", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "postgresql:12-8040020231127153301.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7695", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "postgresql:13-8040020231127154806.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date" : "2023-12-19T00:00:00Z", "advisory" : "RHSA-2023:7878", "cpe" : "cpe:/a:redhat:rhel_aus:8.4", "package" : "postgresql:10-8040020231127142440.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7694", "cpe" : "cpe:/a:redhat:rhel_tus:8.4", "package" : "postgresql:12-8040020231127153301.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7695", "cpe" : "cpe:/a:redhat:rhel_tus:8.4", "package" : "postgresql:13-8040020231127154806.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date" : "2023-12-19T00:00:00Z", "advisory" : "RHSA-2023:7878", "cpe" : "cpe:/a:redhat:rhel_tus:8.4", "package" : "postgresql:10-8040020231127142440.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7694", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", "package" : "postgresql:12-8040020231127153301.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2023-12-07T00:00:00Z", "advisory" : "RHSA-2023:7695", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", "package" : "postgresql:13-8040020231127154806.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date" : "2023-12-19T00:00:00Z", "advisory" : "RHSA-2023:7878", "cpe" : "cpe:/a:redhat:rhel_e4s:8.4", "package" : "postgresql:10-8040020231127142440.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-11-29T00:00:00Z", "advisory" : "RHSA-2023:7580", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "postgresql:13-8060020231114115246.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-12-06T00:00:00Z", "advisory" : "RHSA-2023:7666", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "postgresql:12-8060020231128165328.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7789", "cpe" : "cpe:/a:redhat:rhel_eus:8.6", "package" : "postgresql:10-8060020231201202249.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-11-29T00:00:00Z", "advisory" : "RHSA-2023:7579", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "postgresql:13-8080020231114105206.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-12-05T00:00:00Z", "advisory" : "RHSA-2023:7656", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "postgresql:12-8080020231128165335.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7786", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "postgresql:10-8080020231201202316.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date" : "2023-12-20T00:00:00Z", "advisory" : "RHSA-2023:7883", "cpe" : "cpe:/a:redhat:rhel_eus:8.8", "package" : "postgresql:15-8080020231113134015.63b34585" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7784", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "postgresql-0:13.13-1.el9_3" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7785", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "postgresql:15-9030020231120082734.rhel9" }, { "product_name" : "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date" : "2023-11-28T00:00:00Z", "advisory" : "RHSA-2023:7545", "cpe" : "cpe:/a:redhat:rhel_eus:9.0", "package" : "postgresql-0:13.13-1.el9_0" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2023-11-30T00:00:00Z", "advisory" : "RHSA-2023:7616", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "postgresql-0:13.13-1.el9_2" }, { "product_name" : "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date" : "2023-12-20T00:00:00Z", "advisory" : "RHSA-2023:7885", "cpe" : "cpe:/a:redhat:rhel_eus:9.2", "package" : "postgresql:15-9020020231115020618.rhel9" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7770", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-postgresql12-postgresql-0:12.17-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7771", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-postgresql10-postgresql-0:10.23-2.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2023-12-13T00:00:00Z", "advisory" : "RHSA-2023:7772", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-postgresql13-postgresql-0:13.13-1.el7" }, { "product_name" : "RHACS-3.74-RHEL-8", "release_date" : "2024-01-18T00:00:00Z", "advisory" : "RHSA-2024:0304", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3.74::el8", "package" : "advanced-cluster-security/rhacs-central-db-rhel8:3.74.8-9" }, { "product_name" : "RHACS-3.74-RHEL-8", "release_date" : "2024-01-18T00:00:00Z", "advisory" : "RHSA-2024:0304", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3.74::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:3.74.8-9" }, { "product_name" : "RHACS-3.74-RHEL-8", "release_date" : "2024-01-18T00:00:00Z", "advisory" : "RHSA-2024:0304", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3.74::el8", "package" : "advanced-cluster-security/rhacs-operator-bundle:3.74.8-7" }, { "product_name" : "RHACS-3.74-RHEL-8", "release_date" : "2024-01-18T00:00:00Z", "advisory" : "RHSA-2024:0304", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3.74::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-rhel8:3.74.8-9" }, { "product_name" : "RHACS-3.74-RHEL-8", "release_date" : "2024-01-18T00:00:00Z", "advisory" : "RHSA-2024:0304", "cpe" : "cpe:/a:redhat:advanced_cluster_security:3.74::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:3.74.8-9" }, { "product_name" : "RHACS-4.1-RHEL-8", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0332", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.1::el8", "package" : "advanced-cluster-security/rhacs-central-db-rhel8:4.1.6-6" }, { "product_name" : "RHACS-4.1-RHEL-8", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0332", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.1::el8", "package" : "advanced-cluster-security/rhacs-main-rhel8:4.1.6-6" }, { "product_name" : "RHACS-4.1-RHEL-8", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0332", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.1::el8", "package" : "advanced-cluster-security/rhacs-operator-bundle:4.1.6-6" }, { "product_name" : "RHACS-4.1-RHEL-8", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0332", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.1::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-rhel8:4.1.6-6" }, { "product_name" : "RHACS-4.1-RHEL-8", "release_date" : "2024-01-22T00:00:00Z", "advisory" : "RHSA-2024:0332", "cpe" : "cpe:/a:redhat:advanced_cluster_security:4.1::el8", "package" : "advanced-cluster-security/rhacs-scanner-db-slim-rhel8:4.1.6-6" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Out of support scope", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Not affected", "package_name" : "postgresql:16/postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Not affected", "package_name" : "postgresql:16/postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-5869\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-5869\nhttps://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/\nhttps://www.postgresql.org/support/security/CVE-2023-5869/" ], "name" : "CVE-2023-5869", "mitigation" : { "value" : "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update the affected package as soon as possible.", "lang" : "en:us" }, "csaw" : false }