CVE-2023-5869
Public on 2023-11-10
Modified on 2024-03-18
Description
While modifying certain SQL array values, missing overflow checks let authenticated database users write arbitrary bytes to a memory area that facilitates arbitrary code execution. Missing overflow checks also let authenticated database users read a wide area of server memory. The CVE-2021-32027 fix covered some attacks of this description, but it missed others.
Severity
Important
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Postgresql13 Extra | libpq | Pending Fix | ||
| Amazon Linux 2 - Postgresql12 Extra | libpq | 2024-01-03 | ALAS2POSTGRESQL12-2024-006 | Fixed |
| Amazon Linux 2 - Postgresql14 Extra | libpq | 2024-01-19 | ALAS2POSTGRESQL14-2024-005 | Fixed |
| Amazon Linux 2 - Core | postgresql | Pending Fix | ||
| Amazon Linux 2 - Postgresql12 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL12-2024-007 | Fixed |
| Amazon Linux 2 - Postgresql13 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL13-2024-005 | Fixed |
| Amazon Linux 2 - Postgresql14 Extra | postgresql | 2024-01-19 | ALAS2POSTGRESQL14-2024-004 | Fixed |
| Amazon Linux 2023 | postgresql15 | 2024-01-03 | ALAS2023-2024-464 | Fixed |
| Amazon Linux 1 | postgresql92 | Pending Fix |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| NVD | CVSSv3 | 8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |