9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%
This security bulletin identifies a set of common vulnerabilities that have been addressed in EDB Postgres Advanced Server with IBM 15.4.
CVEID:CVE-2023-41113
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the accesshistory() function. By sending a specially crafted request, an attacker could exploit this vulnerability to enumerate file existence information, and use this information to launch further attacks against the affected system.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264021 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2023-41114
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission validation by the get_url_as_text and get_url_as_bytea functions. By sending a specially crafted request, an attacker could exploit this vulnerability to read arbitrary files and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264024 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-41115
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to obtain sensitive information, caused by improper permission validation by the UTL_ENCODE function. By sending a specially crafted request, an attacker could exploit this vulnerability to read any large object information, and use this information to launch further attacks against the affected system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264025 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:CVE-2023-41116
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation when using DBMS_MVIEW. By sending a specially crafted request, an attacker could exploit this vulnerability to refresh any materialized view.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264023 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:CVE-2023-41117
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a search_path attack in the SECURITY DEFINER functions. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264018 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-41118
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to bypass security restrictions caused by a UTL_FILE permission bypass. By configuring file locations using CREATE DIRECTORY, an attacker could exploit this vulnerability to bypass authorization requirements and access underlying implementation functions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264022 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
CVEID:CVE-2023-41119
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to gain elevated privileges on the system, caused by a flaw in the dbms_aq helper function. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to run arbitrary SQL as a superuser.
CVSS Base score: 8.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264020 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CVEID:CVE-2023-41120
**DESCRIPTION:**EnterpriseDB Postgres Advanced Server could allow a remote authenticated attacker to bypass security restrictions, caused by improper permission validation by the DBMS_PROFILER function. By sending a specially crafted request, an attacker could exploit this vulnerability to remove all accumulated profiling data on a system-wide basis.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/264026 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Affected Product(s) | Version(s) |
---|---|
EDB Postgres Advanced Server with IBM | All Versions before 15.4. |
IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data
| All versions before 4.7.3 and 4.8.0.
Product | Remediation/Fix | Link |
---|---|---|
EDB Postgres Advanced Server with IBM | Update to latest supported version | |
(at least 15.4.0) and patch existing clusters. |
Download product versions from IBM Passport Advantage Online.
IBM Data Management Platform for EDB Postgres Enterprise for IBM Cloud Pak for Data| Update to latest supported version
4.7.3 or 4.8.0 or later.|
Follow the instructions to install or upgrade EDB in the What’s new or changed in EDB Postgres in the IBM Cloud Pak for Data documentation.
None
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
8.7 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
39.3%