FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection

Affected packages
postgresql-server < 11.21
postgresql-server < 12.16
postgresql-server < 13.12
postgresql-server < 14.9
postgresql-server < 15.4

Details

VuXML ID cfd2a634-3785-11ee-94b4-6cc21735f730
Discovery 2023-08-10
Entry 2023-08-10

PostgreSQL Project reports

An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.

References

CVE Name CVE-2023-39417
URL https://www.postgresql.org/support/security/CVE-2023-39417/