CVE-2023-41113: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) affecting versions before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. The vulnerability allows authenticated users to obtain information about files on disk, including their existence, read errors, and limited content information, regardless of permissions (EDB Docs, NVD).

The vulnerability occurs when a superuser has configured one or more directories for filesystem access via CREATE DIRECTORY and adopted certain non-default settings for log_line_prefix and log_connections. The CVSS Base Score is 4.3 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, indicating network accessibility with low attack complexity and requiring low privileges (EDB Docs).

The vulnerability enables authenticated users to bypass normal permission restrictions to gather information about files on the system disk. This includes determining file existence, accessing error messages from read attempts, and obtaining limited information about file contents (NVD).

Users must upgrade to fixed versions: 11.21.32, 12.16.20, 13.12.17, 14.9.0, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates. The patch modifies system object definitions inside the database, which may cause some behavioral differences (EDB Docs).