CVE-2023-2455

Row security policies disregard user ID changes after inlining

While CVE-2016-2193 fixed most interaction between row security and user ID changes, it missed a scenario involving function inlining. This leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

The PostgreSQL project thanks Wolfgang Walther for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
15 15.3 May 11, 2023
14 14.8 May 11, 2023
13 13.11 May 11, 2023
12 12.15 May 11, 2023
11 11.20 May 11, 2023

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 4.2
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to [email protected].

For reporting non-security bugs, please see the Report a Bug page.