PostgreSQL 15 introduced the MERGE
command, which fails to test new rows against row security policies defined for
UPDATE
and
SELECT
. If UPDATE
and SELECT
policies forbid some row that INSERT
policies do not forbid, a
user could store such rows. Subsequent consequences are application-dependent.
This affects only databases that have used
CREATE POLICY
to define a row security policy.
The PostgreSQL project thanks Dean Rasheed for reporting this problem.
Affected Version | Fixed In | Fix Published |
---|---|---|
15 | 15.4 | Aug. 10, 2023 |
For more information about PostgreSQL versioning, please visit the versioning page.
Overall Score | 3.1 |
---|---|
Component | core server |
Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to [email protected].
For reporting non-security bugs, please see the Report a Bug page.