#VU91687 Input validation error in aiven-extras - CVE-2023-32305

Cybersecurity Help s.r.o.

Published: 2024-06-11

Vulnerability identifier: #VU91687

Vulnerability risk: Medium

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-32305

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
aiven-extras
Other software / Other software solutions

Vendor: Aiven

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to leveraging missing schema qualifiers on privileged functions called by the aiven-extras extension. A low privileged user can acquire `superuser` privileges, which would allow full, unrestricted access to all data and database functions and could lead to arbitrary code execution or data access on the underlying host as the `postgres` user.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

aiven-extras: 1.0 - 1.1.8

External links
https://github.com/aiven/aiven-extras/commit/8682ae01bec0791708bf25791786d776e2fb0250
https://github.com/aiven/aiven-extras/security/advisories/GHSA-7r4w-fw4h-67gp
https://security.netapp.com/advisory/ntap-20230616-0006/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Business Automation