Incomplete tracking in PostgreSQL of tables with row
security allows a reused query to view or change
different rows from those intended. CVE-2023-2455 and
CVE-2016-2193 fixed most interaction between row
security and user ID changes. They missed cases where a
subquery, WITH query, security invoker view, or
SQL-language function references a table with a
row-level security policy. This has the same
consequences as the two earlier CVEs. That is to say, it
leads to potentially incorrect policies being applied in
cases where role-specific policies are used and a given
query is planned under one role and then executed under
other roles. This scenario can happen under security
definer functions or when a common user and query is
planned initially and then re-used across multiple SET
ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects only databases
that have used CREATE POLICY to define a row security policy. An
attacker must tailor an attack to a particular application's pattern of
query plan reuse, user ID changes, and role-specific row security
policies.