Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. Some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL is blocking this attack in the core server, so there's no need to modify individual extensions.
The PostgreSQL project thanks Sven Klemm for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 14 | 14.5 | Aug. 11, 2022 |
| 13 | 13.8 | Aug. 11, 2022 |
| 12 | 12.12 | Aug. 11, 2022 |
| 11 | 11.17 | Aug. 11, 2022 |
| 10 | 10.22 | Aug. 11, 2022 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 7.1 |
|---|---|
| Component | core server |
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.