Lucene search

[email protected]NVD:CVE-2023-31131

HistoryMay 15, 2023 - 10:15 p.m.

CVE-2023-31131

2023-05-1522:15:12

CWE-22

[email protected]

web.nvd.nist.gov

greenplum database

path traversal

arbitrary file writes

system crash

upgrade

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.002

Percentile

55.9%

JSON

Greenplum Database (GPDB) is an open source data warehouse based on PostgreSQL. In versions prior to 6.22.3 Greenplum Database used an unsafe methods to extract tar files within GPPKGs. greenplum-db is vulnerable to path traversal leading to arbitrary file writes. An attacker can use this vulnerability to overwrite data or system files potentially leading to crash or malfunction of the system. Any files which are accessible to the running process are at risk. All users are requested to upgrade to Greenplum Database version 6.23.2 or higher. There are no known workarounds for this vulnerability.

Affected configurations

Nvd

Node

vmwaregreenplum_databaseRange<6.22.3

VendorProductVersionCPE
vmwaregreenplum_database*cpe:2.3:a:vmware:greenplum_database:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
vmware	greenplum_database	*	cpe:2.3:a:vmware:greenplum_database::::::::

References

github.com/greenplum-db/gpdb/commit/1ec4affbba7c9745f64edbd80a6680ad29b09471

github.com/greenplum-db/gpdb/security/advisories/GHSA-hgm9-2q42-c7f3

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

AI Score

7.9

Confidence

High

EPSS

0.002

Percentile

55.9%

JSON

Related for NVD:CVE-2023-31131

cve1 cvelist1 osv1 prion1