CVE-2023-41114: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) affecting multiple versions (before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0). The vulnerability was discovered in August 2023 and involves publicly executable functions that could allow unauthorized file access (EDB Advisory).

The vulnerability centers around two functions, 'get_url_as_text' and 'get_url_as_bytea', which are publicly executable. These functions allow authenticated users to read any file from both the local filesystem and remote systems, bypassing normal permission restrictions. The vulnerability has been assigned a CVSS Base Score of 6.5 (Medium) with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (EDB Advisory).

The vulnerability allows any authenticated user to read arbitrary files from both the local filesystem and remote systems, regardless of their assigned permissions. This represents a significant breach of access control mechanisms and could lead to unauthorized access to sensitive data (EDB Advisory).

Users must upgrade to fixed versions: 11.21.32 or later, 12.16.20 or later, 13.12.17 or later, 14.9.0 or later, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates. The patch modifies system objects inside the database, and users should verify potential impacts on applications before applying fixes (EDB Advisory).