CVE-2023-39417 Overview
CVE-2023-39417 is a SQL injection vulnerability in PostgreSQL extension scripts that allows authenticated database users to execute arbitrary SQL as the bootstrap superuser. The flaw affects extension scripts using @extowner@, @extschema@, or @extschema:...@ placeholders inside quoting constructs such as dollar quoting, single quotes, or double quotes. An attacker with database-level CREATE privilege can exploit this issue when an administrator has installed a vulnerable, trusted, non-bundled extension. Successful exploitation results in code execution under the PostgreSQL bootstrap superuser context, breaking the security boundary between regular database users and the database administrator.
Critical Impact
Authenticated attackers with CREATE privilege can execute arbitrary code as the bootstrap superuser, leading to full database compromise.
Affected Products
- PostgreSQL (multiple versions prior to 15.4, 14.9, 13.12, 12.16, and 11.21)
- Red Hat Enterprise Linux 8 and 9, Red Hat Software Collections
- Debian Linux 8, 11, and 12
Discovery Timeline
- 2023-08-11 - CVE-2023-39417 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2023-39417
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89] and resides in PostgreSQL's handling of extension installation scripts. PostgreSQL extensions are SQL script files installed by the server when a user runs CREATE EXTENSION. During processing, the server substitutes placeholder tokens including @extowner@, @extschema@, and @extschema:reqextname@ with their literal values. When these placeholders appear inside a quoting construct such as dollar quoting ($$...$$), single quotes, or double quotes, the substituted values are not properly escaped for the surrounding quoting context. An attacker who controls the value of one of these placeholders, typically the extension owner or schema name, can inject SQL that executes outside the intended quoting boundary.
The EPSS score of 0.659% places this issue in the 71st percentile for exploitation likelihood. Although no public exploit is currently catalogued, the conditions required for exploitation are well-documented in PostgreSQL's extension framework.
Root Cause
The root cause is improper escaping of placeholder substitution within quoted SQL contexts inside extension scripts. PostgreSQL substitutes placeholder text verbatim without quoting it appropriately for the enclosing literal. A schema or owner name containing quote-terminating sequences breaks out of the literal and is interpreted as SQL code at the privilege level of the script executor, the bootstrap superuser.
Attack Vector
Exploitation requires three preconditions: a vulnerable trusted non-bundled extension must be installed by an administrator, the extension script must reference one of the affected placeholders inside a quoting construct, and the attacker must hold database-level CREATE privilege. The attacker creates a schema or role whose name contains a payload designed to terminate the script's quoting construct. When the attacker invokes CREATE EXTENSION and PostgreSQL substitutes the malicious identifier into the script, the injected SQL executes as the bootstrap superuser. This yields full control of the database cluster, including the ability to read or modify any data and execute server-side functions.
No verified public exploit code is available. Refer to the PostgreSQL Security Advisory for CVE-2023-39417 for additional technical context.
Detection Methods for CVE-2023-39417
Indicators of Compromise
- Unexpected CREATE EXTENSION statements in PostgreSQL logs, particularly from non-administrative accounts
- Schema or role names containing unusual quote characters, dollar signs, or SQL keywords
- New superuser-level objects, functions, or roles created shortly after extension installation events
- Modifications to system catalogs (pg_proc, pg_authid, pg_namespace) without corresponding administrative activity
Detection Strategies
- Audit PostgreSQL server logs for CREATE EXTENSION calls and correlate with the executing role's privileges
- Review installed trusted extensions and compare against the upstream patched versions listed in vendor advisories
- Inspect extension .sql script files in SHAREDIR/extension/ for use of @extowner@, @extschema@, or @extschema:...@ inside $$, ', or " quoting
- Enable log_statement = 'ddl' to capture extension and schema operations for forensic review
Monitoring Recommendations
- Forward PostgreSQL audit logs to a centralized SIEM and alert on extension installation by non-administrator roles
- Monitor for creation of roles or schemas with non-standard characters in their identifiers
- Track privilege changes and additions to membership in superuser roles
- Baseline normal CREATE EXTENSION activity per environment and flag deviations
How to Mitigate CVE-2023-39417
Immediate Actions Required
- Upgrade PostgreSQL to a patched minor release: 15.4, 14.9, 13.12, 12.16, or 11.21 or later
- Apply distribution updates from Red Hat (RHSA-2023:7545 and related advisories) and Debian (DSA-5553, DSA-5554)
- Audit and update any third-party trusted extensions that use the affected placeholders inside quoting constructs
- Restrict database-level CREATE privilege to trusted roles only
Patch Information
The PostgreSQL Global Development Group released fixes on August 10, 2023 in versions 15.4, 14.9, 13.12, 12.16, and 11.21. Red Hat addressed the issue across multiple PostgreSQL streams; see the Red Hat CVE page for CVE-2023-39417. Debian released updates documented in the Debian LTS announcement. NetApp's response is tracked in NetApp Advisory ntap-20230915-0002.
Workarounds
- Revoke the CREATE privilege on databases and schemas from untrusted roles using REVOKE CREATE ON DATABASE ... FROM PUBLIC
- Avoid installing trusted, non-bundled extensions whose scripts have not been audited for unsafe placeholder usage
- Restrict extension installation to administrators by ensuring only superusers can run CREATE EXTENSION for affected extensions
- For custom extension authors, refactor scripts to use format() with %I identifier quoting rather than relying on raw placeholder substitution inside quoted literals
# Revoke CREATE privilege from PUBLIC on a database
REVOKE CREATE ON DATABASE mydb FROM PUBLIC;
# Revoke CREATE on the public schema
REVOKE CREATE ON SCHEMA public FROM PUBLIC;
# Verify installed extensions and their versions
SELECT extname, extversion, extnamespace::regnamespace FROM pg_extension;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
