CVE-2023-5868
Public on 2023-11-12
Modified on 2024-03-13
Description
Certain aggregate function calls receiving "unknown"-type arguments could disclose bytes of server memory from the end of the "unknown"-type value to the next zero byte. One typically gets an "unknown"-type value via a string literal having no type designation. We have not confirmed or ruled out viability of attacks that arrange for presence of notable, confidential information in disclosed bytes.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | postgresql | Pending Fix | ||
| Amazon Linux 2 - Postgresql12 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL12-2024-007 | Fixed |
| Amazon Linux 2 - Postgresql13 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL13-2024-005 | Fixed |
| Amazon Linux 2 - Postgresql14 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL14-2024-004 | Fixed |
| Amazon Linux 2023 | postgresql15 | 2024-01-03 | ALAS2023-2024-464 | Fixed |
| Amazon Linux 1 | postgresql92 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| NVD | CVSSv3 | 4.3 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |