PostgreSQL CREATE TYPE does not check multirange schema CREATE privilege
Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.
Problem Types
| Type | CWE ID | Description |
|---|
| CWE | CWE-862 | Missing Authorization |
Type: CWE
Description: Missing Authorization
Metrics
| Version | Base score | Base severity | Vector |
|---|
| 3.1 | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
Version: 3.1
Base score: 5.4
Base severity: MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N