Red Hat Enterprise Linux
Description
Red Hat Enterprise Linux (RHEL) is a commercial open-source Linux distribution developed by Red Hat for the commercial market.
Website
Product names
enterprise_linux, Red Hat Enterprise Linux 6
Related organization
CVE-2023-2455 (GCVE-0-2023-2455)
Vulnerability from – Published: 2023-06-09 00:00 – Updated: 2025-01-06 17:13
VLAI?
Summary
Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
Severity ?
5.4 (Medium)
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | postgresql |
Affected:
PostgreSQL 15.3, PostgreSQL 14.8, PostgreSQL 13.11, PostgreSQL 12.15, PostgreSQL 11.20
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T06:26:08.921Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://access.redhat.com/security/cve/CVE-2023-2455"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.postgresql.org/support/security/CVE-2023-2455/"
},
{
"tags": [
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20230706-0006/"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2023-2455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-06T17:13:19.051067Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-06T17:13:23.297Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "PostgreSQL 15.3, PostgreSQL 14.8, PostgreSQL 13.11, PostgreSQL 12.15, PostgreSQL 11.20"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-07-06T00:00:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2023-2455"
},
{
"url": "https://www.postgresql.org/support/security/CVE-2023-2455/"
},
{
"url": "https://security.netapp.com/advisory/ntap-20230706-0006/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2023-2455",
"datePublished": "2023-06-09T00:00:00",
"dateReserved": "2023-05-01T00:00:00",
"dateUpdated": "2025-01-06T17:13:23.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-12121 (GCVE-0-2018-12121)
Vulnerability from – Published: 2018-11-28 17:00 – Updated: 2024-12-27 16:02
VLAI?
Summary
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.
Severity ?
No CVSS data available.
CWE
- CWE-400 - Uncontrolled Resource Consumption / Denial of Service
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| The Node.js Project | Node.js |
Affected:
All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-12-27T16:02:58.114Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"url": "https://security.netapp.com/advisory/ntap-20241227-0008/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "The Node.js Project",
"versions": [
{
"status": "affected",
"version": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
],
"datePublic": "2018-11-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:06",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2018-12121",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0"
}
]
}
}
]
},
"vendor_name": "The Node.js Project"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/",
"refsource": "CONFIRM",
"url": "https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/"
},
{
"name": "106043",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/106043"
},
{
"name": "RHSA-2019:1821",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:1821"
},
{
"name": "RHSA-2019:2258",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:2258"
},
{
"name": "RHSA-2019:3497",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2019:3497"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2018-12121",
"datePublished": "2018-11-28T17:00:00",
"dateReserved": "2018-06-11T00:00:00",
"dateUpdated": "2024-12-27T16:02:58.114Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
displaying 761 - 762 organizations in total 762