Main Vulnerability Database Vulnerabilities #VU66429

#VU66429 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2022-2625

Published: August 12, 2022

Vulnerability identifier: #VU66429

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2022-2625

CWE-ID: CWE-264

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
PostgreSQL

Software vendor:
PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to escalate privileges within the database.

The vulnerability exists due to extension scripts can replace objects that do not belong to the extension when using the CREATE OR REPLACE or CREATE IF NOT EXISTS commands. A remote user with (1) permissions to create non-temporary objects in at least one schema, (2) ability to lure or wait for an administrator to create or update an affected extension in that schema, and (3) ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS can run arbitrary code as the victim role.

Remediation

Install updates from vendor's website.

External links

https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/

#VU66429 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2022-2625

Description

Remediation

External links

Please verify you're human