PostgreSQL, a powerful open-source object-relational database system that has been a go-to choice for various applications, has been found to contain a severe security vulnerability. The identified vulnerability, CVE-2023-39417, has a substantial CVSS score of 7.5, indicating its potential severity. This flaw allows an attacker, who has database-level CREATE privilege, to run arbitrary code as the bootstrap superuser. The vulnerability arises from the PostgreSQL extension script and can be exploited if an administrator has installed files from a vulnerable, trusted, non-bundled extension. The root cause of this flaw is a failure in adequately sanitizing user input when utilizing the @extowner@, @extschema@, or @extschema:…@ functions.
An attacker can take advantage of this vulnerability by submitting harmful input to a PostgreSQL database that is operating a vulnerable version of the software. The harmful input could be a SQL query or a function parameter. Upon submission of the malicious input, the attacker can run arbitrary code as the bootstrap superuser, a unique user account that possesses complete control over the PostgreSQL database. This level of access means an attacker can perform any action on the database, including data theft, deletion, or alteration.
The CVE-2023-39417 vulnerability impacts PostgreSQL versions 11, 12, 13, 14, and 15. The rectified versions are 11.21, 12.16, 13.12, 14.9, and 15.4. PostgreSQL has offered a fix that thwarts this attack at the core server level, eliminating the need for users to modify individual extensions and simplifying the remediation process. Therefore, it is crucial not to postpone this vital update as the security of your data is at risk.