CVE-2023-5868

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
redhatCNA
4.3 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 85%
VendorProductVersion
postgresqlpostgresql
11.0 ≤
𝑥
< 11.22
postgresqlpostgresql
12.0 ≤
𝑥
< 12.17
postgresqlpostgresql
13.0 ≤
𝑥
< 13.13
postgresqlpostgresql
14.0 ≤
𝑥
< 14.10
postgresqlpostgresql
15.0 ≤
𝑥
< 15.5
postgresqlpostgresql
16.0
redhatcodeready_linux_builder_eus
9.2
redhatcodeready_linux_builder_eus_for_power_little_endian_eus
9.0_ppc64le:_ppc64le
redhatcodeready_linux_builder_eus_for_power_little_endian_eus
9.2_ppc64le:_ppc64le
redhatcodeready_linux_builder_for_arm64_eus
8.6_aarch64:_aarch64
redhatcodeready_linux_builder_for_arm64_eus
9.0_aarch64:_aarch64
redhatcodeready_linux_builder_for_arm64_eus
9.2_aarch64:_aarch64
redhatcodeready_linux_builder_for_ibm_z_systems_eus
9.0_s390x:_s390x
redhatcodeready_linux_builder_for_ibm_z_systems_eus
9.2_s390x:_s390x
redhatcodeready_linux_builder_for_power_little_endian_eus
9.0_ppc64le:_ppc64le
redhatcodeready_linux_builder_for_power_little_endian_eus
9.2_ppc64le:_ppc64le
redhatsoftware_collections
1.0
redhatenterprise_linux
8.0
redhatenterprise_linux
9.0
redhatenterprise_linux_eus
8.6
redhatenterprise_linux_eus
8.8
redhatenterprise_linux_eus
9.0
redhatenterprise_linux_eus
9.2
redhatenterprise_linux_for_arm_64
8.0
redhatenterprise_linux_for_arm_64
8.8_aarch64:_aarch64
redhatenterprise_linux_for_ibm_z_systems
8.0_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
8.6_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
8.8_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
9.0_s390x:_s390x
redhatenterprise_linux_for_ibm_z_systems_eus
9.2_s390x:_s390x
redhatenterprise_linux_for_power_little_endian
8.0_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.6_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
8.8_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.0_ppc64le:_ppc64le
redhatenterprise_linux_for_power_little_endian_eus
9.2_ppc64le:_ppc64le
redhatenterprise_linux_server_aus
8.2
redhatenterprise_linux_server_aus
8.4
redhatenterprise_linux_server_aus
8.6
redhatenterprise_linux_server_aus
9.2
redhatenterprise_linux_server_tus
8.2
redhatenterprise_linux_server_tus
8.4
redhatenterprise_linux_server_tus
8.6
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
postgresql-13
bullseye
13.16-0+deb11u1
fixed
bullseye (security)
13.18-0+deb11u1
fixed
postgresql-15
bookworm
15.8-0+deb12u1
fixed
bookworm (security)
15.10-0+deb12u1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
postgresql-10
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
Fixed 10.23-0ubuntu0.18.04.2+esm1
released
xenial
dne
trusty
dne
postgresql-12
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
Fixed 12.17-0ubuntu0.20.04.1
released
bionic
dne
xenial
dne
trusty
ignored
postgresql-14
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
Fixed 14.10-0ubuntu0.22.04.1
released
focal
dne
bionic
dne
xenial
dne
trusty
dne
postgresql-15
oracular
dne
noble
dne
mantic
Fixed 15.5-0ubuntu0.23.10.1
released
lunar
Fixed 15.5-0ubuntu0.23.04.1
released
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
postgresql-16
oracular
not-affected
noble
not-affected
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
dne
postgresql-9.1
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
postgresql-9.3
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
dne
xenial
dne
trusty
ignored
postgresql-9.5
oracular
dne
noble
dne
mantic
dne
lunar
dne
jammy
dne
focal
dne
bionic
dne
xenial
not-affected
trusty
dne
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2023:7545
https://access.redhat.com/errata/RHSA-2023:7579
https://access.redhat.com/errata/RHSA-2023:7580
https://access.redhat.com/errata/RHSA-2023:7581
https://access.redhat.com/errata/RHSA-2023:7616
https://access.redhat.com/errata/RHSA-2023:7656
https://access.redhat.com/errata/RHSA-2023:7666
https://access.redhat.com/errata/RHSA-2023:7667
https://access.redhat.com/errata/RHSA-2023:7694
https://access.redhat.com/errata/RHSA-2023:7695
https://access.redhat.com/errata/RHSA-2023:7714
https://access.redhat.com/errata/RHSA-2023:7770
https://access.redhat.com/errata/RHSA-2023:7772
https://access.redhat.com/errata/RHSA-2023:7784
https://access.redhat.com/errata/RHSA-2023:7785
https://access.redhat.com/errata/RHSA-2023:7883
https://access.redhat.com/errata/RHSA-2023:7884
https://access.redhat.com/errata/RHSA-2023:7885
https://access.redhat.com/errata/RHSA-2024:0304
https://access.redhat.com/errata/RHSA-2024:0332
https://access.redhat.com/errata/RHSA-2024:0337
https://access.redhat.com/security/cve/CVE-2023-5868
https://bugzilla.redhat.com/show_bug.cgi?id=2247168
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
https://www.postgresql.org/support/security/CVE-2023-5868/
https://access.redhat.com/errata/RHSA-2023:7545
https://access.redhat.com/errata/RHSA-2023:7579
https://access.redhat.com/errata/RHSA-2023:7580
https://access.redhat.com/errata/RHSA-2023:7581
https://access.redhat.com/errata/RHSA-2023:7616
https://access.redhat.com/errata/RHSA-2023:7656
https://access.redhat.com/errata/RHSA-2023:7666
https://access.redhat.com/errata/RHSA-2023:7667
https://access.redhat.com/errata/RHSA-2023:7694
https://access.redhat.com/errata/RHSA-2023:7695
https://access.redhat.com/errata/RHSA-2023:7714
https://access.redhat.com/errata/RHSA-2023:7770
https://access.redhat.com/errata/RHSA-2023:7772
https://access.redhat.com/errata/RHSA-2023:7784
https://access.redhat.com/errata/RHSA-2023:7785
https://access.redhat.com/errata/RHSA-2023:7883
https://access.redhat.com/errata/RHSA-2023:7884
https://access.redhat.com/errata/RHSA-2023:7885
https://access.redhat.com/errata/RHSA-2024:0304
https://access.redhat.com/errata/RHSA-2024:0332
https://access.redhat.com/errata/RHSA-2024:0337
https://access.redhat.com/security/cve/CVE-2023-5868
https://bugzilla.redhat.com/show_bug.cgi?id=2247168
https://security.netapp.com/advisory/ntap-20240119-0003/
https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/
https://www.postgresql.org/support/security/CVE-2023-5868/