Test Kennung:	1.3.6.1.4.1.25623.1.0.148597
Kategorie:	Databases
Titel:	PostgreSQL 10.x < 10.22, 11.x < 11.17, 12.x < 12.12, 13.x < 13.8, 14.x < 14.5 Extension Vulnerability - Windows
Zusammenfassung:	PostgreSQL is prone to a vulnerability where extension scripts; replace objects not belonging to the extension.
Beschreibung:	Summary: PostgreSQL is prone to a vulnerability where extension scripts replace objects not belonging to the extension. Vulnerability Insight: Some extensions use CREATE OR REPLACE or CREATE IF NOT EXISTS commands. Some don't adhere to the documented rule to target only objects known to be extension members already. An attack requires permission to create non-temporary objects in at least one schema, ability to lure or wait for an administrator to create or update an affected extension in that schema, and ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Vulnerability Impact: Given all three prerequisites, the attacker can run arbitrary code as the victim role, which may be a superuser. Known-affected extensions include both PostgreSQL-bundled and non-bundled extensions. PostgreSQL is blocking this attack in the core server, so there's no need to modify individual extensions. Affected Software/OS: PostgreSQL version 10.x, 11.x, 12.x, 13.x and 14.x. Solution: Update to version 10.22, 11.17, 12.12, 13.8, 14.5 or later. CVSS Score: 9.0 CVSS Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C
Querverweis:	Common Vulnerability Exposure (CVE) ID: CVE-2022-2625 https://security.gentoo.org/glsa/202211-04 https://bugzilla.redhat.com/show_bug.cgi?id=2113825 https://www.postgresql.org/about/news/postgresql-145-138-1212-1117-1022-and-15-beta-3-released-2496/
Copyright	Copyright (C) 2022 Greenbone AG

Dies ist nur einer von 145615 Anfälligkeitstests in unserem Testpaket. Finden Sie mehr über unsere vollständigen Sicherheitsüberprüfungen heraus. Um einen gratis Test für diese Anfälligkeit auf Ihrem System durchlaufen zu lassen, registrieren Sie sich bitte unten.