CVE-2022-2625

CVSS V2 None CVSS V3 High 8
Description
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
Overview
  • CVE ID
  • CVE-2022-2625
  • Assigner
  • secalert@redhat.com
  • Vulnerability Status
  • Analyzed
  • Published Version
  • 2022-08-18T19:15:14
  • Last Modified Date
  • 2022-12-02T20:14:08
Weakness Enumerations
CWE URL
CWE-1321 http://cwe.mitre.org/data/definitions/1321.html
CPE Configuration (Product)
CPE Vulnerable Operator Version Start Version End
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 1 OR 10.0 10.22
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 1 OR 11.0 11.17
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 1 OR 12.0 12.12
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 1 OR 13.0 13.8
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* 1 OR 14.0 14.5
cpe:2.3:a:postgresql:postgresql:15:beta1:*:*:*:*:*:* 1 OR
cpe:2.3:a:postgresql:postgresql:15:beta2:*:*:*:*:*:* 1 OR
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* 1 OR
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* 1 OR
CVSS Version 3
  • Version
  • 3.1
  • Vector String
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
  • Attack Vector
  • NETWORK
  • Attack Compatibility
  • LOW
  • Privileges Required
  • LOW
  • User Interaction
  • REQUIRED
  • Scope
  • UNCHANGED
  • Confidentiality Impact
  • HIGH
  • Availability Impact
  • HIGH
  • Base Score
  • 8
  • Base Severity
  • HIGH
  • Exploitability Score
  • 2.1
  • Impact Score
  • 5.9
References
Reference URL Reference Tags
https://bugzilla.redhat.com/show_bug.cgi?id=2113825
https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/
https://access.redhat.com/security/cve/CVE-2022-2625
Sources
Source Name Source URL
NIST https://nvd.nist.gov/vuln/detail/CVE-2022-2625
MITRE https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2625
History
Created Old Value New Value Data Type Notes
2022-08-18 20:00:24 Added to TrackCVE
2022-12-06 14:34:21 2022-12-02T20:14:08 CVE Modified Date updated
2022-12-06 14:34:21 Undergoing Analysis Analyzed Vulnerability Status updated
2022-12-06 14:34:22 CWE-1321 Weakness Enumeration updated