[Japanese]

JVNDB-2023-000023

Multiple vulnerabilities in PostgreSQL extension module pg_ivm

Overview

pg_ivm provided by IVM Development Group is a PostgreSQL extension module that provides incremental view maintenance functionality of materialized views. pg_ivm contains multiple vulnerabilities listed below.
  • Exposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2023-22847
    An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to.

  • Uncontrolled search path element (CWE-427) - CVE-2023-23554
    When refreshing an IMMV, pg_ivm executes functions without specifying schema names. Under certain conditions, pg_ivm may be tricked to execute unexpected functions from other schemas with the IMMV owner's privilege.


IVM Development Group reported these vulnerabilities to IPA to notify users of its solution through JVN. JPCERT/CC and IVM Development Group coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 5.5 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-23554

CVSS V3 Severity:
Base Metrics:4.3 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity
Base Metrics: 4.0 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single
  • Confidentiality Impact: Partial
  • Integrity Impact: None
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2023-22847
Affected Products


IVM Development Group
  • pg_ivm versions prior to 1.5.1

Impact

  • Information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it - CVE-2023-22847
  • An unexpected function provided by an attacker may be executed with the privilege of the materialized view owner - CVE-2023-23554
Solution

[Update the Software]
Update to the latest version according to the information provided by the developer.
The developer has released pg_ivm 1.5.1 that addresses the vulnerabilities.
Vendor Information

IVM Development Group
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [IPA Evaluation]
  2. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2023-22847
  2. CVE-2023-23554
References

  1. JVN : JVN#19872280
Revision History

  • [2023/03/06]
      Web page was published

Date Public2023/03/06
Date First Published2023/03/06
Date Last Updated2023/03/06