8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.9%
A vulnerability was found in PostgreSQL. This attack requires permission to
create non-temporary objects in at least one schema, the ability to lure or
wait for an administrator to create or update an affected extension in that
schema, and the ability to lure or wait for a victim to use the object
targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three
prerequisites, this flaw allows an attacker to run arbitrary code as the
victim role, which may be a superuser.
Author | Note |
---|---|
leosilva | PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases. |
rodrigo-zaiden | PostgreSQL 9.5 is not being maintained by upstream anymore (EOL), and without upstream support, there is a potential risk of adding regressions as the fix touches command permissions that might need other changes for a specific version. So, for this version, we won’t be fixing this CVE. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | postgresql-10 | < 10.22-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | postgresql-12 | < 12.12-0ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | postgresql-14 | < 14.5-0ubuntu0.22.04.1 | UNKNOWN |
ubuntu | 14.04 | noarch | postgresql-9.3 | < any | UNKNOWN |
8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
6 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
0.003 Low
EPSS
Percentile
67.9%