Platform
postgresql
Component
edb-postgres-advanced-server
Fixed in
15.7.0
16.3.0
CVE-2024-4545 affects EnterpriseDB Postgres Advanced Server (EPAS) and allows users leveraging the edbldr utility to bypass role permissions. This bypass enables low-privilege users to read files they would normally be restricted from accessing, potentially exposing sensitive data. Versions 15.0 through 16.3.0 are vulnerable, and a fix is available in version 16.3.0.
The primary impact of CVE-2024-4545 is unauthorized file access. An attacker with limited privileges can exploit this vulnerability to read files that they should not have access to, potentially including configuration files, database backups, or other sensitive data. This could lead to data breaches, privilege escalation, or further compromise of the system. The scope of the impact depends on the files accessible and the sensitivity of the data contained within them. This vulnerability is particularly concerning in environments where edbldr is used for database administration tasks, as it could allow an attacker to gain a foothold and escalate their privileges.
CVE-2024-4545 was publicly disclosed on May 9, 2024. There is currently no indication of active exploitation in the wild. The vulnerability is not listed on the CISA KEV catalog as of this writing. Public proof-of-concept code is not yet available, but the relatively straightforward nature of the bypass suggests that it may be developed soon.
Exploit Status
EPSS
0.08% (23% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4545 is to upgrade to EnterpriseDB Postgres Advanced Server version 16.3.0 or later. If upgrading is not immediately feasible, consider restricting access to edbldr and carefully reviewing the permissions granted to users who utilize it. Implement strict access controls and least privilege principles to minimize the potential impact of a successful exploit. Monitor file system access logs for any suspicious activity related to edbldr. While a WAF is unlikely to directly mitigate this, reviewing and hardening the configuration of edbldr itself is crucial.
Actualice EDB Postgres Advanced Server a la versión 15.7.0 o superior, o a la versión 16.3.0 o superior. Esto corrige la vulnerabilidad de omisión de permisos de lectura de archivos. Consulte las notas de la versión de EnterpriseDB para obtener más detalles sobre la actualización.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4545 is a HIGH severity vulnerability in EDB Postgres Advanced Server allowing low-privilege users to bypass role permissions and read restricted files using the edbldr utility.
You are affected if you are running EDB Postgres Advanced Server versions 15.0 through 16.3.0. Upgrade to 16.3.0 or later to mitigate the risk.
Upgrade to EnterpriseDB Postgres Advanced Server version 16.3.0 or later. If immediate upgrade is not possible, restrict access to edbldr and review user permissions.
As of May 9, 2024, there is no indication of active exploitation in the wild, but the vulnerability's nature suggests potential for future exploitation.
Refer to the official EnterpriseDB security advisory for detailed information and updates: [https://www.enterprisedb.com/security/advisories/edb-sa-2024-0007](https://www.enterprisedb.com/security/advisories/edb-sa-2024-0007)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.