EnterpriseDB Postgres Advanced Server up to 15.3.x improper authorization

Summaryinfo

A vulnerability, which was classified as critical, has been found in EnterpriseDB Postgres Advanced Server up to 11.21.31/12.16.19/13.12.15/14.8.x/15.3.x. This impacts an unknown function. This manipulation causes improper authorization. This vulnerability is registered as CVE-2023-41118. No exploit is available. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in EnterpriseDB Postgres Advanced Server up to 11.21.31/12.16.19/13.12.15/14.8.x/15.3.x. Affected by this vulnerability is an unknown functionality. The manipulation with an unknown input leads to a improper authorization vulnerability. The CWE definition for the vulnerability is CWE-285. The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It may allow an authenticated user to bypass authorization requirements and access underlying implementation functions. When a superuser has configured file locations using CREATE DIRECTORY, these functions allow users to take a wide range of actions, including read, write, copy, rename, and delete.

The weakness was published 12/12/2023. The advisory is shared at enterprisedb.com. This vulnerability is known as CVE-2023-41118 since 08/23/2023. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1548.002 for this issue.

Upgrading to version 11.21.32, 12.16.20, 13.12.16, 14.9.0 or 15.4.0 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• EnterpriseDB

Name

• Postgres Advanced Server

Version

• 11.21.0
• 11.21.1
• 11.21.2
• 11.21.3
• 11.21.4
• 11.21.5
• 11.21.6
• 11.21.7
• 11.21.8
• 11.21.9
• 11.21.10
• 11.21.11
• 11.21.12
• 11.21.13
• 11.21.14
• 11.21.15
• 11.21.16
• 11.21.17
• 11.21.18
• 11.21.19
• 11.21.20
• 11.21.21
• 11.21.22
• 11.21.23
• 11.21.24
• 11.21.25
• 11.21.26
• 11.21.27
• 11.21.28
• 11.21.29
• 11.21.30
• 11.21.31
• 12.16.0
• 12.16.1
• 12.16.2
• 12.16.3
• 12.16.4
• 12.16.5
• 12.16.6
• 12.16.7
• 12.16.8
• 12.16.9
• 12.16.10
• 12.16.11
• 12.16.12
• 12.16.13
• 12.16.14
• 12.16.15
• 12.16.16
• 12.16.17
• 12.16.18
• 12.16.19
• 13.12.0
• 13.12.1
• 13.12.2
• 13.12.3
• 13.12.4
• 13.12.5
• 13.12.6
• 13.12.7
• 13.12.8
• 13.12.9
• 13.12.10
• 13.12.11
• 13.12.12
• 13.12.13
• 13.12.14
• 13.12.15
• 14.0
• 14.1
• 14.2
• 14.3
• 14.4
• 14.5
• 14.6
• 14.7
• 14.8
• 15.0
• 15.1
• 15.2
• 15.3

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion