Nixpkgs security tracker
8.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): CHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
Activity log
- Created suggestion
TimescaleDB uses untrusted search path during extension upgrade
TimescaleDB is a time-series database for high-performance real-time analytics packaged as a Postgres extension. From version 2.23.0 to 2.25.1, PostgreSQL uses the search_path setting to locate unqualified database objects (tables, functions, operators). If the search_path includes user-writable schemas a malicious user can create functions in that schema that shadow builtin postgres functions and will be called instead of the postgres functions leading to arbitrary code execution during extension upgrade. This issue has been patched in version 2.25.2.
References
-
https://github.com/timescale/timescaledb/security/advisories/GHSA-vgp2-jj5c-828m x_refsource_CONFIRM
-
https://github.com/timescale/timescaledb/pull/9331 x_refsource_MISC
-
https://github.com/timescale/timescaledb/releases/tag/2.25.2 x_refsource_MISC
Affected products
- ==>= 2.23.0, < 2.25.2
Matching in nixpkgs
pkgs.timescaledb-tune
Tool for tuning your TimescaleDB for better performance
pkgs.timescaledb-parallel-copy
Bulk, parallel insert of CSV records into PostgreSQL
pkgs.postgresqlPackages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql14Packages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql15Packages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql16Packages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql17Packages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql18Packages.timescaledb
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresqlPackages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresqlPackages.timescaledb_toolkit
Provide additional tools to ease all things analytic when using TimescaleDB
pkgs.postgresql14Packages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql15Packages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql16Packages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql17Packages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql18Packages.timescaledb-apache
Scales PostgreSQL for time-series data via automatic partitioning across time and space
pkgs.postgresql15Packages.timescaledb_toolkit
Provide additional tools to ease all things analytic when using TimescaleDB
pkgs.postgresql16Packages.timescaledb_toolkit
Provide additional tools to ease all things analytic when using TimescaleDB
Package maintainers
-
@kirillrdy Kirill Radzikhovskyy <kirillrdy@gmail.com>
-
@typetetris Eric Wolf <ericwolf42@mail.com>
-
@thoughtpolice Austin Seipp <aseipp@pobox.com>