vulnerability
FreeBSD: VID-cfd2a634-3785-11ee-94b4-6cc21735f730 (CVE-2023-39417): postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:M/Au:S/C:C/I:C/A:C) | Aug 10, 2023 | Aug 11, 2023 | Dec 10, 2025 |
Severity
9
CVSS
(AV:N/AC:M/Au:S/C:C/I:C/A:C)
Published
Aug 10, 2023
Added
Aug 11, 2023
Modified
Dec 10, 2025
Description
PostgreSQL Project reports An extension script is vulnerable if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there's no need to modify individual extensions.
Solution
freebsd-upgrade-package-postgresql-server
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.