CVE-2022-2625

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2022-2625
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

8.0 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=2113825 Issue Tracking Third Party Advisory
https://security.gentoo.org/glsa/202211-04 Third Party Advisory
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/ Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:15:beta1:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:15:beta2:*:*:*:*:*:*

Configuration 2 (hide)

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
History

02 Dec 2022, 20:14

Type Values Removed Values Added
References (GENTOO) https://security.gentoo.org/glsa/202211-04 - (GENTOO) https://security.gentoo.org/glsa/202211-04 - Third Party Advisory
CWE CWE-915 CWE-1321

22 Nov 2022, 06:15

Type Values Removed Values Added
References
  • (GENTOO) https://security.gentoo.org/glsa/202211-04 -
CWE CWE-913 CWE-915

31 Aug 2022, 16:15

Type Values Removed Values Added
References
  • {'url': 'https://access.redhat.com/security/cve/CVE-2022-2625', 'name': 'https://access.redhat.com/security/cve/CVE-2022-2625', 'tags': ['Third Party Advisory'], 'refsource': 'MISC'}
Summary A vulnerability found in postgresql. On this security issue an attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL blocks this attack in the core server, so there's no need to modify individual extensions. A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

19 Aug 2022, 19:09

Type Values Removed Values Added
CPE cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:15:beta1:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:15:beta2:*:*:*:*:*:*
CWE CWE-913
References (MISC) https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/ - (MISC) https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/ - Release Notes, Vendor Advisory
References (MISC) https://access.redhat.com/security/cve/CVE-2022-2625 - (MISC) https://access.redhat.com/security/cve/CVE-2022-2625 - Third Party Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2113825 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=2113825 - Issue Tracking, Third Party Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.0
First Time Fedoraproject
Postgresql postgresql
Postgresql
Fedoraproject fedora
Redhat
Redhat enterprise Linux

18 Aug 2022, 19:19

Type Values Removed Values Added
New CVE
Information

Published : 2022-08-18 19:15

Updated : 2023-12-10 14:35

NVD link : CVE-2022-2625

Mitre link : CVE-2022-2625

CVE.ORG link : CVE-2022-2625

JSON object : View

Products Affected

redhat

  • enterprise_linux

postgresql

  • postgresql

fedoraproject

  • fedora
CWE
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes