CVE-2022-2625
moderate-risk
Published 2022-08-18
A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.
Do I need to act?
-
0.97% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.0/10
High
NETWORK
/ LOW complexity
Affected Products (8)
Affected Vendors
References (6)
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2113825
Third Party Advisory
https://security.gentoo.org/glsa/202211-04
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=2113825
Third Party Advisory
https://security.gentoo.org/glsa/202211-04
45
/ 100
moderate-risk
Severity
28/34 · Critical
Exploitability
3/34 · Minimal
Exposure
14/34 · Moderate