CVE-2023-32305

Name of the Vulnerable Software and Affected Versions aiven-extras versions prior to 1.1.9

Description The issue is related to a privilege escalation vulnerability in the aiven-extras PostgreSQL extension. It allows a low-privileged user to elevate to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged functions called by the aiven-extras extension, enabling a low-privileged user to create objects that collide with existing function names, which will then be executed instead. This could allow a low-privileged user to acquire superuser privileges, granting full, unrestricted access to all data and database functions, and potentially leading to arbitrary code execution or data access on the underlying host as the postgres user.

Recommendations For versions prior to 1.1.9, update to version 1.1.9 or later to patch the vulnerability. As a temporary workaround, consider restricting access to the aiven-extras extension to minimize the risk of exploitation. Additionally, monitor database activity for suspicious object creation or function execution to detect potential exploitation attempts.