CVE-2022-1552
31.08.2022, 16:15
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.
| Vendor | Product | Version |
|---|---|---|
| postgresql | postgresql | 10.0 ≤ 𝑥 < 10.21 |
| postgresql | postgresql | 11.0 ≤ 𝑥 < 11.16 |
| postgresql | postgresql | 12.0 ≤ 𝑥 < 12.11 |
| postgresql | postgresql | 13.0 ≤ 𝑥 < 13.7 |
| postgresql | postgresql | 14.0 ≤ 𝑥 < 14.3 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| postgresql-10 |
| ||||||||||||||||||||
| postgresql-12 |
| ||||||||||||||||||||
| postgresql-13 |
| ||||||||||||||||||||
| postgresql-14 |
| ||||||||||||||||||||
| postgresql-9.1 |
| ||||||||||||||||||||
| postgresql-9.3 |
| ||||||||||||||||||||
| postgresql-9.5 |
|
Common Weakness Enumeration
- CWE-459 - Incomplete CleanupThe software does not properly "clean up" and remove temporary or supporting resources after they have been used.
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
References