timescaledb

postgres/timescaledb

Fork 0

mirror of https://github.com/timescale/timescaledb.git synced 2025-05-15 10:11:29 +08:00

Commit Graph

Author	SHA1	Message	Date
Sven Klemm	c8b8516e46	Fix extension installation privilege escalation TimescaleDB was vulnerable to a privilege escalation attack in the extension installation script. An attacker could precreate objects normally owned by the extension and get those objects used in the installation script since the script would only try to create them if they did not already exist. Thanks to Pedro Gallegos for reporting the problem. This patch changes the schema, table and function creation to fail and abort the installation when the object already exists instead of using the existing object. Security: CVE-2022-24128	2022-02-09 17:53:20 +01:00

Author

SHA1

Message

Date

Sven Klemm

c8b8516e46

Fix extension installation privilege escalation

TimescaleDB was vulnerable to a privilege escalation attack in
the extension installation script. An attacker could precreate
objects normally owned by the extension and get those objects
used in the installation script since the script would only try
to create them if they did not already exist. Thanks to Pedro
Gallegos for reporting the problem.

This patch changes the schema, table and function creation to fail
and abort the installation when the object already exists instead
of using the existing object.

Security: CVE-2022-24128

2022-02-09 17:53:20 +01:00

1 Commits