#VU82943 Permissions, Privileges, and Access Controls in PostgreSQL


Vulnerability identifier: #VU82943

Vulnerability risk: Low

CVSSv3.1: 2 [CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-5870

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to pg_cancel_backend rolse signals background workers, including the logical replication launcher, autovacuum workers and the autovacuum launcher. A remote privileged user can abuse this behavior and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 11.0 - 16.0

External links
http://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler 22.03 LTS SP1 update for libpq
Multiple vulnerabilities in IBM Storage Protect Plus
Gentoo update for PostgreSQL
Amazon Linux AMI update for postgresql15
Multiple vulnerabilities in IBM Storage Scale System
Multiple vulnerabilities in Dell NetWorker Virtual Edition and Dell NetWorker Management Console
Multiple vulnerabilities in Dell PowerStoreT OS
Multiple vulnerabilities in Dell PowerStore Family
Multiple vulnerabilities in IBM Security Guardium
Permissions, privileges, and access controls in IBM Sterling Connect:Direct Web Services