CVE-2023-41119: 
EDB Postgres Advanced Server vulnerability analysis and mitigation

An issue was discovered in EnterpriseDB Postgres Advanced Server (EPAS) affecting multiple versions (before 11.21.32, 12.x before 12.16.20, 13.x before 13.12.16, 14.x before 14.9.0, and 15.x before 15.4.0). The vulnerability was disclosed on August 21, 2023, and involves a privilege escalation issue in the _dbms_aq_move_to_exception_queue function that could allow users to elevate their privileges to superuser level (Vendor Advisory).

The vulnerability exists in the _dbms_aq_move_to_exception_queue function, which accepts the OID of a table and then accesses that table as the superuser by using SELECT and DML commands. The vulnerability has been assigned a CVSS v3.1 Base Score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

The vulnerability allows authenticated users to elevate their privileges to superuser level, potentially gaining full administrative access to the database system. This could lead to unauthorized access to sensitive data, modification of database contents, and complete control over the database system (Vendor Advisory).

Users must upgrade to the fixed versions: 11.21.32, 12.16.20, 13.12.17, 14.9.0, or 15.4.0 or later. After upgrading, existing database instance clusters must be patched using edb_sqlpatch. Users running unsupported versions should upgrade to receive these updates. The vendor warns that the patch modifies system objects' definitions inside the database, which may cause noticeable behavioral differences (Vendor Advisory).