We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Zendesk (Helpdesk and Chat)
Bugpilot (Bug tracking)

Ok

THREATINT CVE Home CVE Diag Help
PUBLISHED

CVE-2023-5870

Postgresql: role pg_signal_backend can signal certain superuser processes.

Reserved:2023-10-31
Published:2023-12-10
Updated:2024-04-03

Description

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.



LOW: 2.2CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L

Problem types

Uncontrolled Resource Consumption

Product status

16.1
unaffected

15.5
unaffected

14.10
unaffected

13.13
unaffected

12.17
unaffected

11.22
unaffected

Default status
affected

4.2.4-6 before *
unaffected

Default status
affected

4.2.4-6 before *
unaffected

Default status
affected

4.2.4-7 before *
unaffected

Default status
affected

4.2.4-6 before *
unaffected

Default status
affected

4.2.4-7 before *
unaffected

Default status
affected

8090020231114113712.a75119d5 before *
unaffected

Default status
affected

8090020231128173330.a75119d5 before *
unaffected

Default status
affected

8090020231114113548.a75119d5 before *
unaffected

Default status
affected

8020020231128165246.4cda2c84 before *
unaffected

Default status
affected

8020020231128165246.4cda2c84 before *
unaffected

Default status
affected

8020020231128165246.4cda2c84 before *
unaffected

Default status
affected

8040020231127153301.522a0ee4 before *
unaffected

Default status
affected

8040020231127154806.522a0ee4 before *
unaffected

Default status
affected

8040020231127153301.522a0ee4 before *
unaffected

Default status
affected

8040020231127154806.522a0ee4 before *
unaffected

Default status
affected

8040020231127153301.522a0ee4 before *
unaffected

Default status
affected

8040020231127154806.522a0ee4 before *
unaffected

Default status
affected

8060020231114115246.ad008a3a before *
unaffected

Default status
affected

8060020231128165328.ad008a3a before *
unaffected

Default status
affected

8080020231114105206.63b34585 before *
unaffected

Default status
affected

8080020231128165335.63b34585 before *
unaffected

Default status
affected

8080020231113134015.63b34585 before *
unaffected

Default status
affected

0:13.13-1.el9_3 before *
unaffected

Default status
affected

9030020231120082734.rhel9 before *
unaffected

Default status
affected

0:13.13-1.el9_0 before *
unaffected

Default status
affected

0:13.13-1.el9_2 before *
unaffected

Default status
affected

9020020231115020618.rhel9 before *
unaffected

Default status
affected

0:12.17-1.el7 before *
unaffected

Default status
affected

0:13.13-1.el7 before *
unaffected

Default status
affected

3.74.8-9 before *
unaffected

Default status
affected

3.74.8-9 before *
unaffected

Default status
affected

3.74.8-7 before *
unaffected

Default status
affected

3.74.8-9 before *
unaffected

Default status
affected

3.74.8-9 before *
unaffected

Default status
affected

4.1.6-6 before *
unaffected

Default status
affected

4.1.6-6 before *
unaffected

Default status
affected

4.1.6-6 before *
unaffected

Default status
affected

4.1.6-6 before *
unaffected

Default status
affected

4.1.6-6 before *
unaffected

Default status
unknown

Default status
affected

Default status
affected

Default status
unaffected

Default status
unaffected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Default status
affected

Timeline

2023-10-31:Reported to Red Hat.
2023-11-09:Made public.

Credits

Upstream acknowledges Hemanth Sandrana and Mahendrakar Srinivasarao as the original reporters.

References

https://access.redhat.com/errata/RHSA-2023:7545 (RHSA-2023:7545) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7579 (RHSA-2023:7579) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7580 (RHSA-2023:7580) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7581 (RHSA-2023:7581) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7616 (RHSA-2023:7616) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7656 (RHSA-2023:7656) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7666 (RHSA-2023:7666) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7667 (RHSA-2023:7667) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7694 (RHSA-2023:7694) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7695 (RHSA-2023:7695) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7714 (RHSA-2023:7714) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7770 (RHSA-2023:7770) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7772 (RHSA-2023:7772) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7784 (RHSA-2023:7784) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7785 (RHSA-2023:7785) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7883 (RHSA-2023:7883) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7884 (RHSA-2023:7884) vendor-advisory

https://access.redhat.com/errata/RHSA-2023:7885 (RHSA-2023:7885) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:0304 (RHSA-2024:0304) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:0332 (RHSA-2024:0332) vendor-advisory

https://access.redhat.com/errata/RHSA-2024:0337 (RHSA-2024:0337) vendor-advisory

https://access.redhat.com/security/cve/CVE-2023-5870 vdb-entry

https://bugzilla.redhat.com/show_bug.cgi?id=2247170 (RHBZ#2247170) issue-tracking

https://security.netapp.com/advisory/ntap-20240119-0003/

https://www.postgresql.org/about/news/postgresql-161-155-1410-1313-1217-and-1122-released-2749/

https://www.postgresql.org/support/security/CVE-2023-5870/

cve.org CVE-2023-5870

nvd.nist.gov CVE-2023-5870

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2023-5870