Public on 2023-05-13
Modified on 2024-01-12
While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Medium severity
CVSS v3 Base Score
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Postgresql11 Extra postgresql 2023-08-07 ALAS2POSTGRESQL11-2023-001 Fixed
Amazon Linux 2 - Postgresql12 Extra postgresql 2023-08-07 ALAS2POSTGRESQL12-2023-001 Fixed
Amazon Linux 2 - Postgresql13 Extra postgresql 2023-08-07 ALAS2POSTGRESQL13-2023-001 Fixed
Amazon Linux 2 - Postgresql14 Extra postgresql 2023-08-07 ALAS2POSTGRESQL14-2023-001 Fixed
Amazon Linux 2023 postgresql15 2023-10-12 ALAS2023-2023-387 Fixed
Amazon Linux 1 postgresql92 Pending Fix

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 4.2 AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N