CVE-2023-22847 - Vulnerability Details - OpenCVE

Information disclosure vulnerability exists in pg_ivm versions prior to 1.5.1. An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to. As a result, information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Sraoss	Pg Ivm

Configuration 1 [-]

cpe:2.3:a:sraoss:pg_ivm:*:*:*:*:*:postgresql:*:*

No data.

References

Link	Providers
https://github.com/sraoss/pg_ivm
https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1
https://jvn.jp/en/jp/JVN19872280/

History

Thu, 06 Mar 2025 17:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: jpcert

Published: 2023-03-07T00:00:00.000Z

Updated: 2025-03-06T16:57:41.724Z

Reserved: 2023-02-28T00:00:00.000Z

Link: CVE-2023-22847

Vulnrichment

Updated: 2024-08-02T10:20:31.077Z

NVD

Status : Modified

Published: 2023-03-07T01:15:10.300

Modified: 2025-03-06T17:15:16.783

Link: CVE-2023-22847

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-22847", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "assignerShortName": "jpcert", "dateUpdated": "2025-03-06T16:57:41.724Z", "dateReserved": "2023-02-28T00:00:00.000Z", "datePublished": "2023-03-07T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-03-07T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Information disclosure vulnerability exists in pg_ivm versions prior to 1.5.1. An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to. As a result, information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it."}], "affected": [{"vendor": "IVM Development Group", "product": "pg_ivm", "versions": [{"version": "versions prior to 1.5.1", "status": "affected"}]}], "references": [{"url": "https://github.com/sraoss/pg_ivm"}, {"url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1"}, {"url": "https://jvn.jp/en/jp/JVN19872280/"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "Exposure of sensitive information to an unauthorized actor"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.077Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/sraoss/pg_ivm", "tags": ["x_transferred"]}, {"url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN19872280/", "tags": ["x_transferred"]}]}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-200", "lang": "en", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2025-03-06T16:57:36.646072Z", "id": "CVE-2023-22847", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:57:41.724Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/sraoss/pg_ivm", "tags": ["x_transferred"]}, {"url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1", "tags": ["x_transferred"]}, {"url": "https://jvn.jp/en/jp/JVN19872280/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T10:20:31.077Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2023-22847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-06T16:57:36.646072Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-06T16:57:30.229Z"}}], "cna": {"affected": [{"vendor": "IVM Development Group", "product": "pg_ivm", "versions": [{"status": "affected", "version": "versions prior to 1.5.1"}]}], "references": [{"url": "https://github.com/sraoss/pg_ivm"}, {"url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1"}, {"url": "https://jvn.jp/en/jp/JVN19872280/"}], "descriptions": [{"lang": "en", "value": "Information disclosure vulnerability exists in pg_ivm versions prior to 1.5.1. An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to. As a result, information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "text", "description": "Exposure of sensitive information to an unauthorized actor"}]}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2023-03-07T00:00:00.000Z"}}}, "cveMetadata": {"cveId": "CVE-2023-22847", "state": "PUBLISHED", "dateUpdated": "2025-03-06T16:57:41.724Z", "dateReserved": "2023-02-28T00:00:00.000Z", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "datePublished": "2023-03-07T00:00:00.000Z", "assignerShortName": "jpcert"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sraoss:pg_ivm:*:*:*:*:*:postgresql:*:*", "matchCriteriaId": "F63AF103-5E29-464C-AA20-A9063C05FDA6", "versionEndExcluding": "1.5.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Information disclosure vulnerability exists in pg_ivm versions prior to 1.5.1. An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to. As a result, information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it."}], "id": "CVE-2023-22847", "lastModified": "2025-03-06T17:15:16.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2023-03-07T01:15:10.300", "references": [{"source": "vultures@jpcert.or.jp", "tags": ["Product"], "url": "https://github.com/sraoss/pg_ivm"}, {"source": "vultures@jpcert.or.jp", "tags": ["Release Notes"], "url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1"}, {"source": "vultures@jpcert.or.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN19872280/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/sraoss/pg_ivm"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes"], "url": "https://github.com/sraoss/pg_ivm/releases/tag/v1.5.1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/en/jp/JVN19872280/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}