CVE-2023-41117: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. The vulnerability involves packages, standalone packages, and functions that run SECURITY DEFINER but are inadequately secured against search_path attacks (EDB Advisory).

The vulnerability has been assigned CVE-2023-41117 with a CVSS Base Score of 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) according to NVD, and 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) according to MITRE. The vulnerability is related to CWE-427 (Uncontrolled Search Path Element) (NVD).

The vulnerability affects multiple versions of EnterpriseDB Postgres Advanced Server, potentially allowing attackers to exploit inadequately secured SECURITY DEFINER functions through search_path attacks. This could lead to unauthorized access and potential system compromise (EDB Advisory).

Users must upgrade to fixed versions: 11.21.32 or later, 12.16.20 or later, 13.12.17 or later, 14.9.0 or later, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates. The patch modifies system objects inside the database, which may cause behavioral differences (EDB Advisory).