Approved changes feed: RSS · Atom

cpe:2.3:a:aiven:aiven-extras:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAiven (55dae46f-23ce-5560-8065-cd68a0390f60)
ProductAiven Extras (57dd648b-8822-5efe-8434-ec921c7c4eea)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2025-31480 vulnerable 2026-06-08 07:18:57.905780 aiven-extras allows PostgreSQL Privilege Escalation through format function
CRITICAL (9.1)
aiven-extras is a PostgreSQL extension. This is a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages the format function not being schema-prefixed. Affected users should install 1.1.16 and ensure they run the latest version issuing ALTER EXTENSION aiven_extras UPDATE TO '1.1.16' after installing it. This needs to happen in each database aiven_extras has been installed in.
Published: 2025-04-04T14:49:30.863Z
Updated: 2025-04-04T14:57:54.321Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-32305 vulnerable 2026-06-08 06:04:45.466134 aiven-extras PostgreSQL Privilege Escalation Through Overloaded Search Path
HIGH (8.8)
aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged functions called by the aiven-extras extension. A low privileged user can create objects that collide with existing function names, which will then be executed instead. Exploiting this vulnerability could allow a low privileged user to acquire `superuser` privileges, which would allow full, unrestricted access to all data and database functions. And could lead to arbitrary code execution or data access on the underlying host as the `postgres` user. The issue has been patched as of version 1.1.9.
Published: 2023-05-12T18:46:55.995Z
Updated: 2025-02-13T16:50:30.580Z
Reference links
Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.