CVE-2022-24128 – TimescaleDB versions before 2.5.2 contain a pri... (How to Fix)

Q: What is the severity of CVE-2022-24128?

CVE-2022-24128 has a CVSS score of 8.0 (HIGH). TimescaleDB versions before 2.5.2 contain a privilege escalation vulnerability during extension installation. An unprivileged database user can pre-create objects that are then used by the superuser installer, potentially gaining elevated privileges. This affects TimescaleDB 1.x and 2.x installations where unprivileged users can create database objects.

📋 TL;DR

TimescaleDB versions before 2.5.2 contain a privilege escalation vulnerability during extension installation. An unprivileged database user can pre-create objects that are then used by the superuser installer, potentially gaining elevated privileges. This affects TimescaleDB 1.x and 2.x installations where unprivileged users can create database objects.

💻 Affected Systems

Products:

TimescaleDB

Versions: 1.x and 2.x before 2.5.2

Operating Systems: All supported platforms (Linux, Windows, macOS)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires unprivileged user with CREATE privilege and superuser to install TimescaleDB extension into their database.

📦 What is this software?

Timescaledb by Timescale

View all CVEs affecting Timescaledb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An unprivileged database user gains full superuser privileges on the TimescaleDB instance, allowing complete database compromise, data theft/modification, and potential system-level access.

🟠

Likely Case

Privileged database user escalates to superuser within TimescaleDB, enabling unauthorized access to sensitive data and database administration functions.

🟢

If Mitigated

Limited impact if proper access controls prevent unprivileged users from creating database objects or if superuser installation is restricted.

🌐 Internet-Facing: MEDIUM - Requires authenticated database access and superuser installation trigger, but internet-facing databases increase attack surface.

🏢 Internal Only: HIGH - Internal users with database access could exploit this if they can create objects and trigger extension installation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated database access and ability to trigger superuser extension installation. Exploit involves pre-creating objects before installation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.5.2 and later

Vendor Advisory: https://github.com/timescale/timescaledb/security/advisories/GHSA-fh8v-663w-79w9

Restart Required: Yes

Instructions:

1. Backup your database. 2. Stop TimescaleDB service. 3. Upgrade to TimescaleDB 2.5.2 or later using your package manager. 4. Restart TimescaleDB service. 5. Verify version with SELECT default_version FROM pg_available_extensions WHERE name = 'timescaledb';

🔧 Temporary Workarounds

Restrict CREATE Privileges

all

Prevent unprivileged users from creating objects in databases where TimescaleDB might be installed.

REVOKE CREATE ON DATABASE database_name FROM username;
REVOKE CREATE ON SCHEMA public FROM username;

Superuser Installation Control

all

Only allow trusted superusers to install TimescaleDB extensions and monitor installation activities.

🧯 If You Can't Patch

Implement strict access controls to prevent unprivileged users from creating database objects
Monitor and audit all TimescaleDB extension installation activities by superusers

🔍 How to Verify

Check if Vulnerable:

Check TimescaleDB version: SELECT default_version FROM pg_available_extensions WHERE name = 'timescaledb'; If version is below 2.5.2, you are vulnerable.

Check Version:

SELECT default_version FROM pg_available_extensions WHERE name = 'timescaledb';

Verify Fix Applied:

After upgrade, verify version is 2.5.2 or higher: SELECT default_version FROM pg_available_extensions WHERE name = 'timescaledb';

📡 Detection & Monitoring

Log Indicators:

Failed CREATE IF NOT EXISTS statements during extension installation
Unexpected object creation by unprivileged users before extension installation
TimescaleDB installation logs showing pre-existing objects

Network Indicators:

Database connections from unprivileged users followed by superuser extension installation

SIEM Query:

source="postgresql" AND ("CREATE" AND "IF NOT EXISTS" AND "timescaledb") OR ("extension" AND "timescaledb" AND "installation")

📊 Metadata

CVE ID: CVE-2022-24128

CVSS v3 Score: 8.0 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: March 13, 2022

Last Updated: November 21, 2024

🔗 References

https://docs.timescale.com/timescaledb/latest/overview/release-notes/ Release Notes,Vendor Advisory
https://github.com/timescale/timescaledb/commit/6275c2985927cfd4900b85cac5120227c8cb1f0c
https://github.com/timescale/timescaledb/commit/c8b8516e466c2bb7d2ae6a4b0b2e8e60b24b24a2
https://github.com/timescale/timescaledb/security/advisories/GHSA-fh8v-663w-79w9 Third Party Advisory
https://docs.timescale.com/timescaledb/latest/overview/release-notes/ Release Notes,Vendor Advisory
https://github.com/timescale/timescaledb/commit/6275c2985927cfd4900b85cac5120227c8cb1f0c
https://github.com/timescale/timescaledb/commit/c8b8516e466c2bb7d2ae6a4b0b2e8e60b24b24a2
https://github.com/timescale/timescaledb/security/advisories/GHSA-fh8v-663w-79w9 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24128, you might also want to check these: