=====================================================================

                             CERT-Renater

                  Note d'Information No. 2023/VULN081

_____________________________________________________________________

DATE                : 16/02/2023

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running TimescaleDB versions prior to 
                                   2.9.3.

=====================================================================
https://github.com/timescale/timescaledb/security/advisories/GHSA-44jh-j22r-33wq
_____________________________________________________________________


TimescaleDB 2.8.0 through 2.9.2 has incorrect access control
High
thanasisk published GHSA-44jh-j22r-33wq
Package
TimescaleDB (TimescaleDB)

Affected versions
2.8.0 through 2.9.2

Patched versions
2.9.3


Description

Summary

During installation TimescaleDB creates a telemetry job that is runs as 
the installation user. The queries run as part of the telemetry data 
collection were not run with a locked down search_path allowing 
malicious users to create functions that
  would be executed by the telemetry job leading to privilege escalation.

In order to be able to take advantage of this vulnerability, a user 
would need to be able to create objects in a database and then get a 
superuser to install TimescaleDB into their database. When TimescaleDB 
is installed as trusted extension non-superusers can install the 
extension without help from a superuser.


Fix

Upgrade to TimescaleDB 2.9.3.
Workarounds

As a mitigation the search_path of the user running the telemetry job 
can be locked down to not include schemas writable by other users.


Affected Platforms

The vulnerability is not exploitable on instances in Timescale Cloud and 
Managed Service for TimescaleDB due to additional security provisions in 
place on those platforms.


Severity
High

8.8/ 10

CVSS base metrics

Attack vector
Network

Attack complexity
Low

Privileges required
Low

User interaction
None

Scope
Unchanged

Confidentiality
High

Integrity
High

Availability
High

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE ID
CVE-2023-25149

Weaknesses
No CWEs



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================