Amazon Linux 2023: CVE-2023-2455: Medium priority package update for postgresql15

Amazon Linux 2023: CVE-2023-2455: Medium priority package update for postgresql15

Severity

4

CVSS

(AV:N/AC:H/Au:S/C:P/I:P/A:N)

Published

05/11/2023

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise forbidden reads and modifications. This only affects databases that have used CREATE POLICY to define a row security policy.

Solution(s)

• amazon-linux-2023-upgrade-postgresql15
• amazon-linux-2023-upgrade-postgresql15-contrib
• amazon-linux-2023-upgrade-postgresql15-contrib-debuginfo
• amazon-linux-2023-upgrade-postgresql15-debuginfo
• amazon-linux-2023-upgrade-postgresql15-debugsource
• amazon-linux-2023-upgrade-postgresql15-docs
• amazon-linux-2023-upgrade-postgresql15-docs-debuginfo
• amazon-linux-2023-upgrade-postgresql15-llvmjit
• amazon-linux-2023-upgrade-postgresql15-llvmjit-debuginfo
• amazon-linux-2023-upgrade-postgresql15-plperl
• amazon-linux-2023-upgrade-postgresql15-plperl-debuginfo
• amazon-linux-2023-upgrade-postgresql15-plpython3
• amazon-linux-2023-upgrade-postgresql15-plpython3-debuginfo
• amazon-linux-2023-upgrade-postgresql15-pltcl
• amazon-linux-2023-upgrade-postgresql15-pltcl-debuginfo
• amazon-linux-2023-upgrade-postgresql15-private-devel
• amazon-linux-2023-upgrade-postgresql15-private-libs
• amazon-linux-2023-upgrade-postgresql15-private-libs-debuginfo
• amazon-linux-2023-upgrade-postgresql15-server
• amazon-linux-2023-upgrade-postgresql15-server-debuginfo
• amazon-linux-2023-upgrade-postgresql15-server-devel
• amazon-linux-2023-upgrade-postgresql15-server-devel-debuginfo
• amazon-linux-2023-upgrade-postgresql15-static
• amazon-linux-2023-upgrade-postgresql15-test
• amazon-linux-2023-upgrade-postgresql15-test-debuginfo
• amazon-linux-2023-upgrade-postgresql15-test-rpm-macros
• amazon-linux-2023-upgrade-postgresql15-upgrade
• amazon-linux-2023-upgrade-postgresql15-upgrade-debuginfo
• amazon-linux-2023-upgrade-postgresql15-upgrade-devel
• amazon-linux-2023-upgrade-postgresql15-upgrade-devel-debuginfo

References

• https://attackerkb.com/topics/cve-2023-2455
• CVE - 2023-2455
• https://alas.aws.amazon.com/AL2023/ALAS-2023-387.html