CVE-2023-31043 - EDB Postgres Advanced Server (EPAS) logs unredacted passwords prior to 14.6.0
Suggest editsFirst Published: 2023/04/23
Last Updated: 2023/05/02
Summary
EDB Postgres Advanced Server (EPAS) versions before 14.6.0 log unredacted passwords in situations where optional parameters are used with CREATE/ALTER USER/GROUP/ROLE, and redacting was configured with edb_filter_log.redact_password_commands. The fixed versions are 10.23.33, 11.18.29, 12.13.17, 13.9.13, and 14.6.0.
Vulnerability details
CVE-ID: CVE-2023-31043
CVSS Base Score: 7.5
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected products and versions
EDB Postgres Advanced Server (EPAS)
- All versions up to 10.23.32
- 11.1.7 to 11.18.28
- 12.1.2 to 12.13.16
- 13.1.4 to 13.9.12
- 14.1.0 to 14.5.0
- 14.1.0 to 14.5.0
Remediation/fixes
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| EPAS | All versions up to 10.23.32 | Update to latest supported version (at least 10.23.33) |
| EPAS | 11.1.7 to 11.18.28 | Update to latest supported version (at least 11.18.29) |
| EPAS | 12.1.2 to 12.13.16 | Update to latest supported version (at least 12.13.17) |
| EPAS | 13.1.4 to 13.9.12 | Update to latest supported version (at least 13.9.13) |
| EPAS | 14.1.0 to 14.5.0 | Update to latest supported version (at least 14.6.0) |
Update
No Updates at this time
References
Related information
Acknowledgement
Source: Mitre
Change history
26 July 2023: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!