CVE-2023-41120

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.enterprisedb.com/docs/security/advisories/cve202341120/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::
	cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::
	cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::
	cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::
	cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::

History

14 Dec 2023, 19:54

Type	Values Removed	Values Added
CWE		CWE-668
CPE		cpe:2.3:a:enterprisedb:postgres_advanced_server::::::::
References	~~() https://www.enterprisedb.com/docs/security/advisories/cve202341120/ -~~	() https://www.enterprisedb.com/docs/security/advisories/cve202341120/ - Vendor Advisory
First Time		Enterprisedb Enterprisedb postgres Advanced Server

12 Dec 2023, 13:43

Type	Values Removed	Values Added
Summary		(es) Se descubrió un problema en EnterpriseDB Postgres Advanced Server (EPAS) antes de 11.21.32, 12.x antes de 12.16.20, 13.x antes de 13.12.16, 14.x antes de 14.9.0 y 15.x antes de 15.4.0. Permite que un usuario autenticado utilice DBMS_PROFILER para eliminar todos los datos de creación de perfiles acumulados en todo el sistema, independientemente de los permisos de ese usuario.

12 Dec 2023, 07:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-12-12 07:15

Updated : 2023-12-14 19:54

NVD link : CVE-2023-41120

Mitre link : CVE-2023-41120

CVE.ORG link : CVE-2023-41120

JSON object : View

Products Affected

enterprisedb

postgres_advanced_server

CWE

CWE-668

Exposure of Resource to Wrong Sphere

{"id": "CVE-2023-41120", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-12-12T07:15:45.860", "references": [{"url": "https://www.enterprisedb.com/docs/security/advisories/cve202341120/", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-668"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. It permits an authenticated user to use DBMS_PROFILER to remove all accumulated profiling data on a system-wide basis, regardless of that user's permissions."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en EnterpriseDB Postgres Advanced Server (EPAS) antes de 11.21.32, 12.x antes de 12.16.20, 13.x antes de 13.12.16, 14.x antes de 14.9.0 y 15.x antes de 15.4.0. Permite que un usuario autenticado utilice DBMS_PROFILER para eliminar todos los datos de creaci\u00f3n de perfiles acumulados en todo el sistema, independientemente de los permisos de ese usuario."}], "lastModified": "2023-12-14T19:54:24.970", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6892B548-6E0D-47B5-9AD7-3EA937C243FE", "versionEndExcluding": "11.21.32"}, {"criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "15246CD4-D4F0-4FE7-AE1A-BDD2FCC67B5C", "versionEndExcluding": "12.16.20", "versionStartIncluding": "12.0.0"}, {"criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C3FA205A-6BF7-492C-A0F3-5AD01E35CC41", "versionEndExcluding": "13.12.17", "versionStartIncluding": "13.0.0"}, {"criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "12EC69DE-AFB1-476F-88BB-C7C0C348C19F", "versionEndExcluding": "14.9.0", "versionStartIncluding": "14.0.0"}, {"criteria": "cpe:2.3:a:enterprisedb:postgres_advanced_server:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D3B7765D-34FD-479B-9C4E-9CAC34CC1AD2", "versionEndExcluding": "15.4.0", "versionStartIncluding": "15.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}