CVE-2023-41117

Published Dec 12, 2023

Last updated a year ago

CVSS critical 9.8

Overview

Description: An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It contain packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against search_path attacks.
Source: cve@mitre.org
NVD status: Analyzed

Risk scores

CVSS 3.1

Type: Primary
Base score: 9.8
Impact score: 5.9
Exploitability score: 3.9
Vector string: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity: CRITICAL

Weaknesses

nvd@nist.gov: CWE-427

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6892B548-6E0D-47B5-9AD7-3EA937C243FE",
            "versionEndExcluding": "11.21.32"
          },
          {
            "criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "15246CD4-D4F0-4FE7-AE1A-BDD2FCC67B5C",
            "versionEndExcluding": "12.16.20",
            "versionStartIncluding": "12.0.0"
          },
          {
            "criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "C3FA205A-6BF7-492C-A0F3-5AD01E35CC41",
            "versionEndExcluding": "13.12.17",
            "versionStartIncluding": "13.0.0"
          },
          {
            "criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "12EC69DE-AFB1-476F-88BB-C7C0C348C19F",
            "versionEndExcluding": "14.9.0",
            "versionStartIncluding": "14.0.0"
          },
          {
            "criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*",
            "vulnerable": true,
            "matchCriteriaId": "D3B7765D-34FD-479B-9C4E-9CAC34CC1AD2",
            "versionEndExcluding": "15.4.0",
            "versionStartIncluding": "15.0.0"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.1

Weaknesses

Social media

Configurations

References