CVE-2023-31043 - EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0

First Published: 2023/04/23

Last Updated: 2023/05/02

Summary

EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.

Vulnerability details

CVE-ID: CVE-2023-31043

CVSS Base Score: 7.5

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products and versions

EDB Postgres Advanced Server (EPAS)

  • All versions up to 10.23.32
  • 11.1.7 to 11.18.28
  • 12.1.2 to 12.13.16
  • 13.1.4 to 13.9.12
  • 14.1.0 to 14.5.0
  • 14.1.0 to 14.5.0

Remediation/fixes

ProductVRMFRemediation/First Fix
EPASAll versions
up to 10.23.32
Update to latest supported version
(at least 10.23.33)
EPAS11.1.7 to
11.18.28
Update to latest supported version
(at least 11.18.29)
EPAS12.1.2 to
12.13.16
Update to latest supported version
(at least 12.13.17)
EPAS13.1.4 to
13.9.12
Update to latest supported version
(at least 13.9.13)
EPAS14.1.0 to
14.5.0
Update to latest supported version
(at least 14.6.0)
Update

No Updates at this time

References

Acknowledgement

Source: Mitre

Change history

26 July 2023: Original Copy Published

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.


Could this page be better? Report a problem or suggest an addition!