Other official information and services: www.belgium.be

WARNING: CRITICAL 9.8 VULNERABILITY IN ENTERPRISEDB (EDB) POSTGRES ADVANCED SERVER (EPAS). PATCH IMMEDIATELY!

Référence:

Advisory #2023-156

Version:

1.0

Logiciels concernés :

EnterpriseDB Postgres Advanced Server (EPAS) <11.21.32

EnterpriseDB Postgres Advanced Server (EPAS) <12.16.20

EnterpriseDB Postgres Advanced Server (EPAS) <13.12.17

EnterpriseDB Postgres Advanced Server (EPAS) <14.9.0

EnterpriseDB Postgres Advanced Server (EPAS) <15.4.0

Type:

SEARCH_PATH attack

CVE/CVSS:

CVE-2023-41117 - CVSS: 9.8 (CRITICAL)
(CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date:

03/01/2024

Sources

Risques

EnterpriseDB Postgres Advanced Server is a PostgreSQL relational database management server (RDBMS). CVE-2023-41117 vulnerable versions contain packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against SEARCH_PATH attacks.

Description

A successful PostgreSQL SEARCH_PATH attack lets a malicious user create objects (e.g., tables, functions, and operators) which can severely impact the integrity of the database.

No exploits are publicly available at the time of writing.

Actions recommandées

The Centre for Cyber Security Belgium strongly recommends system administrators to upgrade to version 11.21.32, 12.16.20, 13.12.16, 14.9.0 or 15.4.0 to eliminate the vulnerability.

Cert

WARNING: CRITICAL 9.8 VULNERABILITY IN ENTERPRISEDB (EDB) POSTGRES ADVANCED SERVER (EPAS). PATCH IMMEDIATELY!

Sources

Risques

Description

Actions recommandées

Références