PostgreSQL multiple commands security bypass | CVE-2022-1552
NAME
PostgreSQL multiple commands security bypass
- Platforms Affected:
PostgreSQL PostgreSQL 10
PostgreSQL PostgreSQL 11
PostgreSQL PostgreSQL 12
PostgreSQL PostgreSQL 13
PostgreSQL PostgreSQL 14 - Risk Level:
8.8 - Exploitability:
Unproven - Consequences:
Bypass Security
DESCRIPTION
PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not activate protection or too late with the Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SQL functions under a superuser identity.
CVSS 3.0 Information
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Upgrade to the latest version of PostgreSQL (10.21, 11.16, 12.11, 13.7, 14.3 or later), available from the PostgreSQL Web site. See References.
- Reference Link:
https://www.postgresql.org/support/security/CVE-2022-1552/ - Reference Link:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1552
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
