Stay Connected:

CVE-2022-2625

CVE Details

Release Date:2022-08-18
Impact:None What is this?

Description


A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

See more information about CVE-2022-2625 from MITRE CVE dictionary and NIST NVD


NOTE: The following CVSS metrics and score provided are preliminary and subject to review.


CVSS v3 metrics

Base Score: 8.0
Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Version: 3.0
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: Required
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High

Errata information


PlatformErrataRelease Date
Oracle Linux version 8 (pg_repack)ELSA-2022-71282022-10-27
Oracle Linux version 8 (pg_repack)ELSA-2023-15762023-04-05
Oracle Linux version 8 (pgaudit)ELSA-2022-71282022-10-27
Oracle Linux version 8 (pgaudit)ELSA-2023-15762023-04-05
Oracle Linux version 8 (postgres-decoderbufs)ELSA-2022-71282022-10-27
Oracle Linux version 8 (postgres-decoderbufs)ELSA-2023-15762023-04-05
Oracle Linux version 8 (postgresql)ELSA-2022-71282022-10-27
Oracle Linux version 8 (postgresql)ELSA-2023-01132023-01-14
Oracle Linux version 8 (postgresql)ELSA-2023-15762023-04-05
Oracle Linux version 9 (postgresql)ELSA-2023-16932023-04-11


This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:

software.hardware.complete
Subscribe | Careers | Contact Us | Legal Notices | Terms of Use | Your Privacy Rights