NVD Vulnerability Detail
Search Exploit, PoC
CVE-2023-5869
Summary

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

Publication Date Dec. 11, 2023, 3:15 a.m.
Registration Date Dec. 11, 2023, 10 a.m.
Last Update Nov. 21, 2024, 5:42 p.m.
CVSS3.1 : HIGH
スコア 8.8
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
攻撃元区分(AV) ネットワーク
攻撃条件の複雑さ(AC)
攻撃に必要な特権レベル(PR)
利用者の関与(UI) 不要
影響の想定範囲(S) 変更なし
機密性への影響(C)
完全性への影響(I)
可用性への影響(A)
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:postgresql:postgresql:16.0:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 15.0 15.5
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 14.0 14.10
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 13.0 13.13
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 12.0 12.17
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 11.0 11.22
Configuration2 or higher or less more than less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_scientific_computing:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:software_collections:1.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:8.8:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_eus_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:8.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.8_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.8_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:8.0_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:8.6_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:7.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian:7.0_ppc64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:7.0_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_eus_for_power_little_endian_eus:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:8.6_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:8.6_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:8.8_aarch64:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
JVN Vulnerability Information
PostgreSQL.org の PostgreSQL 等複数ベンダの製品における整数オーバーフローの脆弱性
Title PostgreSQL.org の PostgreSQL 等複数ベンダの製品における整数オーバーフローの脆弱性
Summary

PostgreSQL.org の PostgreSQL 等複数ベンダの製品には、整数オーバーフローの脆弱性が存在します。

Possible impacts 情報を取得される、情報を改ざんされる、およびサービス運用妨害 (DoS) 状態にされる可能性があります。
Solution

ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date Dec. 10, 2023, midnight
Registration Date Jan. 15, 2024, 10:11 a.m.
Last Update Jan. 15, 2024, 10:11 a.m.
Affected System
レッドハット
codeready linux builder eus 9.2
codeready linux builder eus for power little endian eus 9.0 ppc64le
codeready linux builder eus for power little endian eus 9.2 ppc64le
codeready linux builder for arm64 eus 8.6 aarch64
codeready linux builder for arm64 eus 9.0 aarch64
codeready linux builder for arm64 eus 9.2 aarch64
codeready linux builder for ibm z systems eus 9.0 s390x
codeready linux builder for ibm z systems eus 9.2 s390x
codeready linux builder for power little endian eus 9.0 ppc64le
codeready linux builder for power little endian eus 9.2 ppc64le
enterprise linux for arm 64 8.0
enterprise linux for arm 64 8.8 aarch64
Red Hat Enterprise Linux 8.0
Red Hat Enterprise Linux 9.0
Red Hat Enterprise Linux Desktop 7.0
Red Hat Enterprise Linux EUS 8.6
Red Hat Enterprise Linux EUS 8.8
Red Hat Enterprise Linux EUS 9.0
Red Hat Enterprise Linux EUS 9.2
Red Hat Enterprise Linux for IBM z Systems 
Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 
Red Hat Enterprise Linux for Power, big endian 
Red Hat Enterprise Linux for Power, little endian 
Red Hat Enterprise Linux for Power, little endian - Extended Update Support 
Red Hat Enterprise Linux for Scientific Computing 
Red Hat Enterprise Linux Server 
Red Hat Enterprise Linux Server AUS 
Red Hat Enterprise Linux Server TUS 
Red Hat Enterprise Linux Workstation 
Red Hat Software Collections 1.0
PostgreSQL.org
PostgreSQL 11.0 以上 11.22 未満
PostgreSQL 12.0 以上 12.17 未満
PostgreSQL 13.0 以上 13.13 未満
PostgreSQL 14.0 以上 14.10 未満
PostgreSQL 15.0 以上 15.5 未満
PostgreSQL 16.0
CVE (情報セキュリティ 共通脆弱性識別子)
CWE (共通脆弱性タイプ一覧)
その他
Change Log
No Changed Details Date of change
1 [2024年01月15日]
  掲載		 Jan. 15, 2024, 10:11 a.m.