CVSS Score v3.1
7.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score
0.0066
71.7th percentile
Risk Priority
15
60% EPSS · 20% KEV · 20% CVSS
Summary
CVE-2023-39417 is a high-severity SQL Injection (CWE-89) vulnerability in Postgresql Postgresql . Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 28.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Vulnerability
Related Threats
Affected Assets
Mitigating Controls
Vulnerability details
IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension,…
more an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
postgresql
postgresql
11.0 — 11.21 · 12.0 — 12.16 · 13.0 — 13.12
redhat
software collections
all versions
redhat
enterprise linux
8.0, 9.0
debian
debian linux
11.0, 12.0, 8.0
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.
Validates query inputs to prevent SQL syntax or command manipulation.
References
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com
Third Party Advisory · secalert@redhat.com