CVE-2023-2454

Public on 2023-05-13

Modified on 2024-04-29

Description

This enabled an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. Database owners have that right by default, and explicit grants may extend it to other users.

Severity

Important

CVSS v3 Base Score

7.2

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Postgresql10 Extra	postgresql			No Fix Planned
Amazon Linux 2 - Core	postgresql	2024-02-15	ALAS2-2024-2462	Fixed
Amazon Linux 2 - Postgresql11 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL11-2023-001	Fixed
Amazon Linux 2 - Postgresql12 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL12-2023-001	Fixed
Amazon Linux 2 - Postgresql13 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL13-2023-001	Fixed
Amazon Linux 2 - Postgresql14 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL14-2023-001	Fixed
Amazon Linux 2023	postgresql15	2023-07-05	ALAS2023-2023-241	Fixed
Amazon Linux 1	postgresql92	2023-06-05	ALAS-2023-1759	Fixed

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	7.2	AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv3	7.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2023-2454 Mitre: CVE-2023-2454