CVE-2023-41115: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) affecting multiple versions (before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0). The vulnerability was disclosed on August 21, 2023, and allows authenticated users to bypass permission restrictions when using UTL_ENCODE to read any large object, regardless of their assigned permissions (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. This indicates that the vulnerability requires network access and low privileges to exploit, requires no user interaction, and can result in high confidentiality impact without affecting integrity or availability (NIST NVD).

The vulnerability allows authenticated users to bypass authorization controls and read any large object in the database, regardless of their assigned permissions. This represents a significant confidentiality breach as it could expose sensitive data stored as large objects in the database (Vendor Advisory).

Users must upgrade to the fixed versions: 11.21.32 or later, 12.16.20 or later, 13.12.17 or later, 14.9.0 or later, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates. The patch modifies system object definitions, which may cause behavioral differences, and users should evaluate potential application impacts before applying fixes (Vendor Advisory).