CVE-2022-2625

MITRE NVD CVE.ORG Print: PDF PDF

Summary

CVECVE-2022-2625
StatePUBLIC
Assigner[email protected]
Source PriorityCVE Program / NVD first with legacy fallback
Published2022-08-18 19:15:00 UTC
Updated2022-12-02 20:14:00 UTC
DescriptionA vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

Risk And Classification

Problem Types: CWE-1321

NVD Known Affected Configurations (CPE 2.3)

TypeVendorProductVersionUpdateEditionLanguage
Operating System Fedoraproject Fedora 36 All All All
Application Postgresql Postgresql All All All All
Application Postgresql Postgresql 15 beta1 All All
Application Postgresql Postgresql 15 beta2 All All
Operating System Redhat Enterprise Linux 6.0 All All All
Operating System Redhat Enterprise Linux 7.0 All All All
Operating System Redhat Enterprise Linux 8.0 All All All
Operating System Redhat Enterprise Linux 9.0 All All All

References

ReferenceSourceLinkTags
Red Hat Customer Portal - Access to 24x7 support and knowledge MISC access.redhat.com
PostgreSQL: Multiple Vulnerabilities (GLSA 202211-04) — Gentoo security GENTOO security.gentoo.org
PostgreSQL: PostgreSQL 14.5, 13.8, 12.12, 11.17, 10.22, and 15 Beta 3 Released! MISC www.postgresql.org
2113825 – (CVE-2022-2625) CVE-2022-2625 postgresql: Extension scripts replace objects not belonging to the extension. MISC bugzilla.redhat.com
CVE Program record CVE.ORG www.cve.org canonical
NVD vulnerability detail NVD nvd.nist.gov canonical, analysis

Legacy QID Mappings

  • 160187 Oracle Enterprise Linux Security Update for postgresql:12 (ELSA-2022-7128)
  • 160394 Oracle Enterprise Linux Security Update for postgresql:10 (ELSA-2023-0113)
  • 160532 Oracle Enterprise Linux Security Update for postgresql:13 (ELSA-2023-1576)
  • 160543 Oracle Enterprise Linux Security Update for postgresql (ELSA-2023-1693)
  • 180935 Debian Security Update for postgresql-11 (DLA 3072-1)
  • 181141 Debian Security Update for postgresql-13 (CVE-2022-2625)
  • 198904 Ubuntu Security Notification for PostgreSQL Vulnerability (USN-5571-1)
  • 240781 Red Hat Update for postgresql:12 (RHSA-2022:7128)
  • 241048 Red Hat Update for postgresql:10 (RHSA-2023:0113)
  • 241062 Red Hat Update for rh-postgresql10-postgresql (RHSA-2023:0160)
  • 241320 Red Hat Update for postgresql:13 (RHSA-2023:1576)
  • 241338 Red Hat Update for postgresql (RHSA-2023:1693)
  • 242527 Red Hat Update for postgresql (RHSA-2023:7545)
  • 242534 Red Hat Update for postgresql:13 (RHSA-2023:7580)
  • 242547 Red Hat Update for postgresql:12 (RHSA-2023:7667)
  • 242550 Red Hat Update for postgresql:13 (RHSA-2023:7695)
  • 242552 Red Hat Update for postgresql:12 (RHSA-2023:7694)
  • 378413 Alibaba Cloud Linux Security Update for postgresql:13 (ALINUX3-SA-2023:0036)
  • 502479 Alpine Linux Security Update for postgresql
  • 502480 Alpine Linux Security Update for postgresql13
  • 502481 Alpine Linux Security Update for postgresql14
  • 502483 Alpine Linux Security Update for postgresql12
  • 502780 Alpine Linux Security Update for postgresql15
  • 503690 Alpine Linux Security Update for postgresql13
  • 503691 Alpine Linux Security Update for postgresql14
  • 503701 Alpine Linux Security Update for postgresql12
  • 672421 EulerOS Security Update for postgresql (EulerOS-SA-2022-2802)
  • 710683 Gentoo Linux PostgreSQL Multiple Vulnerabilities (GLSA 202211-04)
  • 752505 SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2022:2893-1)
  • 752511 SUSE Enterprise Linux Security Update for postgresql13 (SUSE-SU-2022:2912-1)
  • 752514 SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2022:2914-1)
  • 752522 SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2022:2946-1)
  • 752529 SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2022:2958-1)
  • 752533 SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2022:2988-1)
  • 752534 SUSE Enterprise Linux Security Update for postgresql13 (SUSE-SU-2022:2987-1)
  • 752535 SUSE Enterprise Linux Security Update for postgresql14 (SUSE-SU-2022:2989-1)
  • 752568 SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2022:3193-1)
  • 752586 SUSE Enterprise Linux Security Update for postgresql14 (SUSE-SU-2022:3269-1)
  • 753240 SUSE Enterprise Linux Security Update for postgresql14 (SUSE-SU-2022:2989-2)
  • 902769 Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (10600)
  • 902771 Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (10595)
  • 904136 Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (10595-1)
  • 904189 Common Base Linux Mariner (CBL-Mariner) Security Update for postgresql (10600-1)
  • 940729 AlmaLinux Security Update for postgresql:12 (ALSA-2022:7128)
  • 940882 AlmaLinux Security Update for postgresql:10 (ALSA-2023:0113)
  • 940968 AlmaLinux Security Update for postgresql:13 (ALSA-2023:1576)
  • 940988 AlmaLinux Security Update for postgresql (ALSA-2023:1693)
  • 960338 Rocky Linux Security Update for postgresql:12 (RLSA-2022:7128)
  • 960582 Rocky Linux Security Update for postgresql:10 (RLSA-2023:0113)
  • 960905 Rocky Linux Security Update for postgresql:13 (RLSA-2023:1576)
© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

CVE.report and Source URL Uptime Status status.cve.report