CVE-2023-22847: 
NixOS vulnerability analysis and mitigation

An information disclosure vulnerability exists in pg_ivm versions prior to 1.5.1. An Incrementally Maintainable Materialized View (IMMV) created by pg_ivm may reflect rows with Row-Level Security that the owner of the IMMV should not have access to. The vulnerability was discovered and disclosed in March 2023, affecting the PostgreSQL extension module pg_ivm (JVN Advisory, GitHub Release).

The vulnerability occurs during view maintenance which is performed under the view owner privilege. When a modified table has Row Level Security (RLS) policy, rows in that table must be accessed by the privilege of the IMMV owner during view maintenance, and rows invisible to the view owner must not appear in the IMMV. However, the security check was not properly handled, allowing rows that should be inaccessible to the view owner to appear in the view contents when the view was refreshed incrementally during queries containing multiple types of commands, such as modifying CTE with INSERT and UPDATE, or MERGE commands. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 MEDIUM (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) (NVD, JVN Advisory).

As a result of this vulnerability, information in tables protected by Row-Level Security may be retrieved by a user who is not authorized to access it. This could lead to unauthorized exposure of sensitive data that should be restricted by the Row-Level Security policies (GitHub Release).

The vulnerability has been fixed in pg_ivm version 1.5.1. Users are advised to update to this version or later. The fix properly implements row level security checks during view maintenance to ensure that rows invisible to the view owner do not appear in the IMMV (GitHub Release).