Critical Security Flaw in PostgreSQL Database System: CVE-2023-39417

August 14, 2023

PostgreSQL, a powerful open-source object-relational database system that has been a go-to choice for various applications, has been found to contain a severe security vulnerability. The identified vulnerability, CVE-2023-39417, has a substantial CVSS score of 7.5, indicating its potential severity. This flaw allows an attacker, who has database-level CREATE privilege, to run arbitrary code as the bootstrap superuser. The vulnerability arises from the PostgreSQL extension script and can be exploited if an administrator has installed files from a vulnerable, trusted, non-bundled extension. The root cause of this flaw is a failure in adequately sanitizing user input when utilizing the @extowner@, @extschema@, or @extschema:…@ functions.

An attacker can take advantage of this vulnerability by submitting harmful input to a PostgreSQL database that is operating a vulnerable version of the software. The harmful input could be a SQL query or a function parameter. Upon submission of the malicious input, the attacker can run arbitrary code as the bootstrap superuser, a unique user account that possesses complete control over the PostgreSQL database. This level of access means an attacker can perform any action on the database, including data theft, deletion, or alteration.

The CVE-2023-39417 vulnerability impacts PostgreSQL versions 11, 12, 13, 14, and 15. The rectified versions are 11.21, 12.16, 13.12, 14.9, and 15.4. PostgreSQL has offered a fix that thwarts this attack at the core server level, eliminating the need for users to modify individual extensions and simplifying the remediation process. Therefore, it is crucial not to postpone this vital update as the security of your data is at risk.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.