CVE-2022-1552

Description

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

How to fix CVE-2022-1552

To remediate CVE-2022-1552, upgrade the affected package to a fixed version below.

• —upgrade to 13.7-r0 or later
• —upgrade to 13.7-r0 or later
• —upgrade to 14.3-r0 or later
• —upgrade to 14.3-r0 or later
• —upgrade to 10.21.0 or later
• —upgrade to 11.16-0+deb10u1 or later
• —upgrade to 13.7-0+deb11u1 or later
• —upgrade to 13.7-0+deb11u1 or later

Is CVE-2022-1552 being exploited?

Low — EPSS is 2.3%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 13.7-r0
• from 0, < 13.7-r0
• from 0, < 14.3-r0
• from 0, < 14.3-r0
• >= 10.0.0, < 10.21.0, >= 11.0.0, < 11.16.0, >= 12.0.0, < 12.11.0, >= 13.0.0, < 13.7.0, >= 14.0.0, < 14.3.0
• from 0, < 11.16-0+deb10u1
• from 0, < 13.7-0+deb11u1
• from 0, < 13.7-0+deb11u1

CVSS scores

References (9)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-1552
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-1552
• WEBaccess.redhat.com/security/cve/CVE-2022-1552
• WEBbugzilla.redhat.com/show_bug.cgi?id=2081126
• WEB