CVE-2022-1552 : Autovacuum, REINDEX, and others omit "security restricted operation" sandbox
22190
19 May 2023
19 May 2023
OPEN
LOW
Base Score: 8.8 HIGH - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
N/A
CVE-2022-1552
|
Brocade Security Advisory ID |
BSA-2023-2088 |
|
Component |
PostgreSQL |
|
|
|
Summary
A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity. More at: https://www.postgresql.org/support/security/CVE-2022-1552/
Products Confirmed Not Affected
- Brocade Fabric OS is NOT AFFECTED
- Brocade ASCG is NOT AFFECTED
- Brocade SANNav is UNDER INVESTIGATION
Revision History
|
Version |
Change |
Date |
|
1.0 |
Initial Publication |
May 17, 2023 |
Disclaimer
THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.