Описание
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
A flaw was found in PostgreSQL, which could permit incorrect policies being applied in certain cases where role-specific policies are used and a given query is planned under one role and executed under other roles. This scenario can happen under security definer functions, or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise forbidden reads and modifications. This only affects databases that have used CREATE POLICY to define a row security policy.
Отчет
Red Hat Openshift Dev Spaces is not affected by this issue as PostgreSQL was decommissioned on the latest Red Hat Openshift Dev Spaces 3.6 release, as described in: https://access.redhat.com/documentation/en-us/red_hat_openshift_dev_spaces/3.6/html/release_notes_and_known_issues/removed-functionalities#removed-functionality-crw-4105 Red Hat Satellite does not include the affected PostgreSQL, however, the component is shipped with Red Hat Enterprise Linux and consumed by Satellite. Red Hat Satellite users are advised to check the impact of Red Hat Enterprise Linux since any necessary fixes will also be distributed through it.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| A-MQ Clients 2 | postgresql | Not affected | ||
| Cryostat 2 | postgresql | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-agent-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-manager-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-operator-bundle-container | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | acm-multicluster-globalhub-operator-container | Not affected | ||
| Red Hat AMQ Broker 7 | postgresql | Not affected | ||
| Red Hat build of Apache Camel for Spring Boot 3 | postgresql | Not affected | ||
| Red Hat build of Apicurio Registry 2 | postgresql | Not affected | ||
| Red Hat build of Debezium 1 | postgresql | Not affected |
Показывать по
Дополнительная информация
Статус:
4.2 Medium
CVSS3
Связанные уязвимости
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Row security policies disregard user ID changes after inlining; Postgr ...
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
4.2 Medium
CVSS3