PostgreSQL Anonymizer Privilege Escalation Vulnerability

A vulnerability in PostgreSQL Anonymizer allows users to gain superuser privileges by creating a custom operator in the public schema and embedding malicious code within it. This operator can be executed with superuser rights when the extension is loaded. The issue is more pronounced in PostgreSQL 14 or instances upgraded from version 14 or earlier. In PostgreSQL 15 and later, the public schema creation permission is revoked by default, making this exploit possible only if a superuser manually adds a new schema to their search path and grants CREATE privileges to untrusted users, actions discouraged by PostgreSQL documentation.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation to superuser status, potentially leading to unrestricted access and control over the PostgreSQL database.

Reproduction

To reproduce this vulnerability, a user must create a custom operator in the public schema of a PostgreSQL database. This operator should include malicious code that, when executed, elevates the user's privileges to superuser. In PostgreSQL 14 or upgraded instances, this can be done without additional steps. In PostgreSQL 15 and later, a superuser must first add a new schema to their search path and grant CREATE privileges to untrusted users.

Remediation

Users are advised to upgrade to PostgreSQL Anonymizer version 3.0.1 or later, and to avoid granting CREATE privileges on untrusted schemas.