CVE-2023-41118: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0. The vulnerability (CVE-2023-41118) was disclosed on August 21, 2023, and affects the authorization system of EPAS (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue allows authenticated users to bypass authorization requirements and access underlying implementation functions when a superuser has configured file locations using CREATE DIRECTORY (NVD).

When exploited, this vulnerability allows users to take a wide range of unauthorized actions on files, including read, write, copy, rename, and delete operations. This significantly impacts the confidentiality, integrity, and availability of the system's file operations (Vendor Advisory).

Users must upgrade to fixed versions: 11.21.32 or later, 12.16.20 or later, 13.12.17 or later, 14.9.0 or later, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates (Vendor Advisory).