Security Bulletin: The Network Threat Analytics App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Vulnerability Details

CVEID:   CVE-2023-2454
DESCRIPTION:   schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   6
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2023-5869
DESCRIPTION:   A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.
CWE:   CWE-190: Integer Overflow or Wraparound
CVSS Source:   redhat
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-7348
DESCRIPTION:   Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
CWE:   CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CVSS Source:   IBM X-Force
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-10976
DESCRIPTION:   Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State
CVSS Source:   NVD
CVSS Base score:   5.4
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2022-41862
DESCRIPTION:   In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
CWE:   CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CVSS Source:   NVD
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2023-2455
DESCRIPTION:   Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.
CWE:   CWE-20: Improper Input Validation
CVSS Source:   IBM X-Force
CVSS Base score:   7.1
CVSS Vector:   (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N)

CVEID:   CVE-2024-10978
DESCRIPTION:   Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-266: Incorrect Privilege Assignment
CVSS Source:   NVD
CVSS Base score:   4.2
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2023-5870
DESCRIPTION:   A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   2.2
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2023-5868
DESCRIPTION:   A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.
CWE:   CWE-686: Function Call With Incorrect Argument Type
CVSS Source:   IBM X-Force
CVSS Base score:   4.3
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2022-2625
DESCRIPTION:   A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
CWE:   CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CVSS Source:   IBM X-Force
CVSS Base score:   7.1
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-10979
DESCRIPTION:   Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-15: External Control of System or Configuration Setting
CVSS Source:   NVD
CVSS Base score:   8.8
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-0985
DESCRIPTION:   Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
CWE:   CWE-271: Privilege Dropping / Lowering Errors
CVSS Source:   IBM X-Force
CVSS Base score:   8
CVSS Vector:   (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)

CVEID:   CVE-2023-39417
DESCRIPTION:   IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.
CWE:   CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVSS Source:   CVE.org
CVSS Base score:   7.5
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

CVEID:   CVE-2024-10977
DESCRIPTION:   Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-348: Use of Less Trusted Source
CVSS Source:   NVD
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2026-0994
DESCRIPTION:   A denial-of-service (DoS) vulnerability exists in google.protobuf.json_format.ParseDict() in Python, where the max_recursion_depth limit can be bypassed when parsing nested google.protobuf.Any messages. Due to missing recursion depth accounting inside the internal Any-handling logic, an attacker can supply deeply nested Any structures that bypass the intended recursion limit, eventually exhausting Python’s recursion stack and causing a RecursionError.
CWE:   CWE-674: Uncontrolled Recursion
CVSS Source:   cve-coordination@google.com
CVSS Base score:   8.2
CVSS Vector:   (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X)