CVE-2022-2625
First published: Tue Aug 02 2022(Updated: )
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <14.5 | 14.5 |
| redhat/postgresql | <13.8 | 13.8 |
| redhat/postgresql | <12.12 | 12.12 |
| redhat/postgresql | <11.17 | 11.17 |
| redhat/postgresql | <10.22 | 10.22 |
| PostgreSQL PostgreSQL | >=10.0<10.22 | |
| PostgreSQL PostgreSQL | >=11.0<11.17 | |
| PostgreSQL PostgreSQL | >=12.0<12.12 | |
| PostgreSQL PostgreSQL | >=13.0<13.8 | |
| PostgreSQL PostgreSQL | >=14.0<14.5 | |
| PostgreSQL PostgreSQL | =15-beta1 | |
| PostgreSQL PostgreSQL | =15-beta2 | |
| Fedoraproject Fedora | =36 | |
| Redhat Enterprise Linux | =6.0 | |
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| Redhat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=2113825
- https://security.gentoo.org/glsa/202211-04
- https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119248
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119249
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119250
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119251
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119252
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119253
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2119254
- https://access.redhat.com/errata/RHSA-2022:7128
- https://access.redhat.com/security/cve/cve-2022-2625
- https://access.redhat.com/errata/RHSA-2023:0113
- https://access.redhat.com/errata/RHSA-2023:0160
- https://access.redhat.com/errata/RHSA-2023:1576
- https://access.redhat.com/errata/RHSA-2023:1693
- https://access.redhat.com/errata/RHSA-2023:7545
- https://access.redhat.com/errata/RHSA-2023:7580
- https://access.redhat.com/errata/RHSA-2023:7667
- https://access.redhat.com/errata/RHSA-2023:7694
- https://access.redhat.com/errata/RHSA-2023:7695
Frequently Asked Questions
What is the vulnerability ID for this PostgreSQL vulnerability?
The vulnerability ID for this PostgreSQL vulnerability is CVE-2022-2625.
What software versions are affected by this vulnerability?
The software versions affected by this vulnerability range from 10.0 to 14.5 of PostgreSQL.
What is the severity of CVE-2022-2625?
The severity of CVE-2022-2625 is high (8 out of 10).
How can I fix this vulnerability?
To fix this vulnerability, update your PostgreSQL software to version 14.5 or apply the appropriate patch provided by the vendor.
Where can I find more information about CVE-2022-2625?
You can find more information about CVE-2022-2625 on the official PostgreSQL website and the bugzilla pages provided in the references.
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- agent/severity
- agent/references
- agent/description
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-2625
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- version/postgresql postgresql/14.0
- version/postgresql postgresql/15-beta1
- version/postgresql postgresql/15-beta2
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/36
- vendor/redhat
- canonical/redhat enterprise linux
- version/redhat enterprise linux/6.0
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- version/redhat enterprise linux/9.0
- package-manager/redhat