CVE-2023-23554: 
NixOS vulnerability analysis and mitigation

CVE-2023-23554 is an uncontrolled search path element vulnerability discovered in pgivm versions prior to 1.5.1. The vulnerability was disclosed on March 6, 2023, affecting the PostgreSQL extension module pgivm, which provides Incremental View Maintenance (IVM) functionality. When refreshing an Incrementally Maintainable Materialized View (IMMV), pg_ivm executes functions without specifying schema names, which can lead to security issues (JVN Advisory, NVD).

The vulnerability stems from pgivm's handling of function execution during IMMV refresh operations. The core issue is that functions in pgcatalog schema used during view maintenance were not properly qualified with schema names. This could allow functions in other schemas to be referenced unintentionally. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

Under certain conditions, pgivm may be tricked to execute unexpected functions from other schemas with the IMMV owner's privilege. This could result in privilege escalation where a malicious user with function creation capabilities could execute arbitrary functions under the IMMV owner's privilege ([GitHub Release](https://github.com/sraoss/pgivm/releases/tag/v1.5.1), JVN Advisory).

The vulnerability has been fixed in pgivm version 1.5.1. The fix includes proper qualification of function names during maintenance and rebuilding of query plans for recalculating min/max values after searchpath changes. Users are strongly advised to upgrade to version 1.5.1 or later to address this security issue (GitHub Release, JVN Advisory).