Skip to content

coder embedded postgres version has multiple high CVEs: CVE-2023-39417, CVE-2023-5869, CVE-2024-0985 #12305

Closed
@michaelbrewer

Description

@michaelbrewer

File ~/.config/coderv2/postgres/bin/bin/postgres version 13.11 is vulnerable to CVE-2023-39417, which exists in versions >= 13.0, < 13.12.

The vulnerability was found in the National Vulnerability Database (NVD) based on the CPE cpe:2.3:a:postgresql:postgresql with NVD severity: High.

The file is associated with the technology PostgreSQL.

The vulnerability can be remediated by updating PostgreSQL to 13.12 or higher.

Looks like the cause is the go package which creates the embedded server:

embeddedpostgres "github.com/fergusstrange/embedded-postgres"

I have opened a pull request to patch this:
fergusstrange/embedded-postgres#131

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions