CVE-2022-1552Incomplete Cleanup in Postgresql

CWE-459Incomplete CleanupCWE-89SQL Injection8 documents7 sources
Severity
8.8HIGHNVD
EPSS
2.3%
top 15.36%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
8
PostgresqlDebian Postgresql-13Msrc Cbl2 Postgresql 14.5-1 ON CBL Mariner 2.0+5 more
Timeline
PublishedAug 31
Latest updateOct 13

Description

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

debiandebian/postgresql-13< postgresql-13 13.7-0+deb11u1 (bullseye)
NVDpostgresql/postgresql10.010.21+4
CVEListV5postgresql/postgresqlFixed in postgresql 14.3, postgresql 13.7, postgresql 12.11, postgresql 11.16, postgresql 10.21.

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

2
GHSA
GHSA-3f3c-74mp-823m: A flaw was found in PostgreSQL2022-09-01
OSV
CVE-2022-1552: A flaw was found in PostgreSQL2022-08-31

📋Vendor Advisories

5
Ubuntu
PostgreSQL vulnerability2022-10-13
Microsoft
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum REINDEX CREATE INDEX REFRESH MA2022-08-09
Ubuntu
PostgreSQL vulnerability2022-05-24
Red Hat
postgresql: Autovacuum, REINDEX, and others omit "security restricted operation" sandbox2022-05-12
Debian
CVE-2022-1552: postgresql-13 - A flaw was found in PostgreSQL. There is an issue with incomplete efforts to ope...2022