WARNING: CRITICAL 9.8 VULNERABILITY IN ENTERPRISEDB (EDB) POSTGRES ADVANCED SERVER (EPAS). PATCH IMMEDIATELY!
CVE-2023-41117 - CVSS: 9.8 (CRITICAL)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Bronnen
- https://www.postgresql.org/docs/current/sql-createfunction.html#SQL-CREA...
- https://www.enterprisedb.com/docs/security/advisories/cve202341117/
Risico’s
EnterpriseDB Postgres Advanced Server is a PostgreSQL relational database management server (RDBMS). CVE-2023-41117 vulnerable versions contain packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against SEARCH_PATH attacks.
Beschrijving
A successful PostgreSQL SEARCH_PATH attack lets a malicious user create objects (e.g., tables, functions, and operators) which can severely impact the integrity of the database.
No exploits are publicly available at the time of writing.
Aanbevolen acties
The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to version 11.21.32, 12.16.20, 13.12.16, 14.9.0 or 15.4.0 to eliminate the vulnerability.