CVE-2023-32305: Input Validation
First published: Fri May 12 2023(Updated: )
aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged functions called by the aiven-extras extension. A low privileged user can create objects that collide with existing function names, which will then be executed instead. Exploiting this vulnerability could allow a low privileged user to acquire `superuser` privileges, which would allow full, unrestricted access to all data and database functions. And could lead to arbitrary code execution or data access on the underlying host as the `postgres` user. The issue has been patched as of version 1.1.9.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL | <1.1.9 | |
| PostgreSQL | >=10.0<=10.22 | |
| PostgreSQL | >=11.0<=11.7 | |
| PostgreSQL | >=12.0<=12.12 | |
| PostgreSQL | >=13.0<=13.8 | |
| PostgreSQL | >=14.0<=14.5 | |
| All of | ||
| PostgreSQL | <1.1.9 | |
| Any of | ||
| PostgreSQL | >=10.0<=10.22 | |
| PostgreSQL | >=11.0<=11.7 | |
| PostgreSQL | >=12.0<=12.12 | |
| PostgreSQL | >=13.0<=13.8 | |
| PostgreSQL | >=14.0<=14.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2023-32305?
CVE-2023-32305 is a privilege escalation vulnerability in the aiven-extras PostgreSQL extension.
How does CVE-2023-32305 affect my system?
CVE-2023-32305 allows elevation to superuser inside PostgreSQL databases that use the vulnerable aiven-extras package.
What versions of aiven-extras are affected by CVE-2023-32305?
Versions prior to 1.1.9 of aiven-extras are affected by CVE-2023-32305.
How severe is CVE-2023-32305?
CVE-2023-32305 has a severity rating of 8.8 (high).
How can I fix CVE-2023-32305?
To fix CVE-2023-32305, update your aiven-extras package to version 1.1.9 or later.
- agent/type
- agent/first-publish-date
- agent/severity
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/aiven
- canonical/postgresql
- vendor/postgresql
- version/postgresql/10.0
- version/postgresql/10.22
- version/postgresql/11.0
- version/postgresql/11.7
- version/postgresql/12.0
- version/postgresql/12.12
- version/postgresql/13.0
- version/postgresql/13.8
- version/postgresql/14.0
- version/postgresql/14.5