cbcvebase.
CVE-2022-1552
published 2022-08-31

CVE-2022-1552: A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
11.73%
95.5th percentile
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

Affected

13 ranges
VendorProductVersion rangeFixed in
debianpostgresql-13< postgresql-13 13.7-0+deb11u1 (bullseye)postgresql-13 13.7-0+deb11u1 (bullseye)
msrccbl2_postgresql_14.5-1_on_cbl_mariner_2.0
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
msrccm1_postgresql_12.12-1_on_cbl_mariner_1.0
postgresqlpostgresql
postgresqlpostgresql>= 10.0 < 10.2110.21
postgresqlpostgresql>= 11.0 < 11.1611.16
postgresqlpostgresql>= 12.0 < 12.1112.11
postgresqlpostgresql>= 13.0 < 13.713.7
postgresqlpostgresql>= 14.0 < 14.314.3

Detection & IOCsextracted from sources · hover to see the quote

  • Attacker must have permission to create non-temporary objects in at least one schema to exploit this privilege escalation to superuser.
  • Monitor for unexpected execution of SQL functions or OS commands under a superuser (postgres) identity, especially when triggered by maintenance commands: Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, or pg_amcheck.
  • Audit PostgreSQL logs for non-superuser accounts creating objects in shared schemas, followed by invocation of maintenance commands (REINDEX, CLUSTER, CREATE INDEX, REFRESH MATERIALIZED VIEW, pg_amcheck) that could trigger the privilege escalation.
  • The vulnerability is exploitable locally (scope: local); focus detection on local PostgreSQL session activity and schema object creation by non-privileged users.
  • ·The 'security restricted operation' sandbox protection was the intended mitigation but was activated too late or not at all in affected commands; patched versions enforce it correctly. Verify PostgreSQL is updated to a fixed release (e.g., Debian bullseye: 13.7-0+deb11u1).
  • ·No practical configuration-level mitigation exists; the only remediation is patching the affected PostgreSQL package.
  • ·libpq (the client library) on Red Hat Enterprise Linux 8 is confirmed not affected; only the server-side postgresql package is in scope.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.