PT-2023-7471 · Unknown · Greenplum Database

Published

2023-05-15

Updated

2023-05-25

CVE-2023-31131

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Greenplum Database versions prior to 6.22.3

Description The issue is related to the Greenplum Database using unsafe methods to extract tar files within GPPKGs, leading to path traversal and arbitrary file writes. An attacker can exploit this to overwrite data or system files, potentially causing a system crash or malfunction. Any files accessible to the running process are at risk.

Recommendations For Greenplum Database versions prior to 6.22.3, upgrade to Greenplum Database version 6.23.2 or higher. As a temporary workaround, consider restricting access to sensitive files and directories to minimize the risk of exploitation. Note that there are no known workarounds for this issue other than upgrading to a patched version.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

BDU:2023-08515

CVE-2023-31131

GHSA-HGM9-2Q42-C7F3

Affected Products

Greenplum Database

PT-2023-7471 · Unknown · Greenplum Database

CVE-2023-31131

Weakness Enumeration

Related Identifiers

Affected Products

References · 9