A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another users objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.
The product does not properly “clean up” and remove temporary or supporting resources after they have been used.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Postgresql | Postgresql | 10.0 (including) | 10.21 (excluding) |
| Postgresql | Postgresql | 11.0 (including) | 11.16 (excluding) |
| Postgresql | Postgresql | 12.0 (including) | 12.11 (excluding) |
| Postgresql | Postgresql | 13.0 (including) | 13.7 (excluding) |
| Postgresql | Postgresql | 14.0 (including) | 14.3 (excluding) |