Privilege Escalation Vulnerability in TimescaleDB by Timescale
CVE-2022-24128

8HIGH

Key Information:

Vendor: Timescale
Status: Timescaledb
Vendor: CVE Published:; 13 March 2022

What is CVE-2022-24128?

TimescaleDB versions 1.x and 2.x prior to 2.5.2 have a vulnerability that permits privilege escalation during the extension installation process. An unprivileged user can exploit this issue by creating pre-defined objects in the database which are then utilized by a Superuser during installation. If an unprivileged user successfully creates these objects, they can potentially escalate their privileges when a Superuser installs TimescaleDB into the database. The issue is mitigated in the fixed versions where installation will abort if existing objects are detected.

References

https://docs.timescale.com/timescaledb/latest/overview/re...

https://github.com/timescale/timescaledb/security/advisor...

https://github.com/timescale/timescaledb/commit/6275c2985...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2022
Vulnerability Reserved
Jan 29, 2022

JSON