CVE-2024-4545 - EDB Postgres Advanced Server (EPAS) authenticated file read permissions bypass using edbldr
First Published: 2024/05/09
Last Updated: 2024/05/09
Summary
All versions of EnterpriseDB Postgres Advanced Server (EPAS) from 15.0 and prior to 15.7.0 and from 16.0 and prior to 16.3.0 may allow users using edbldr
to bypass role permissions from pg_read_server_files
. This could allow low privilege users to read files to which they would not otherwise have access.
Vulnerability details
CVE-ID: CVE-2024-4545
CVSS Base Score: 7.7
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Affected products and versions
- EnterpriseDB Postgres Advanced Server (EPAS)
- All versions from 15.0 and prior to 15.7.0
- All versions from 16.0 and prior to 16.3.0
Remediation
Impacted users must upgrade to a fixed version of EPAS. For questions about updating, users can contact their account representative or contact EDB.
Product | VRMF | Remediation/First Fix |
---|---|---|
EPAS | All versions from 15.0 and prior to 15.7.0 | Upgrade EPAS 15 to Minor release |
EPAS | All versions from 16.0 and prior to 16.7.0 | Upgrade EPAS 16 to Minor release |
Warning
If impacted users are currently relying on non-superusers to run edbldr and read data from the server filesystem without any special permissions, the fixed versions of EPAS could break these workflows. It is recommended that users do one of the following:
- Grant such users the
pg_read_server_files
role - Change the way data is being loaded into the database, such as loading files from standard input rather than specifying a pathname.
References
Related information
Acknowledgement
None
Change history
- 9 May 2024: Original document published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!