Alpine: postgresql-timescaledb: security update to 2.9.3-r0

high Tenable Cloud Security Plugin ID 406503

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TimescaleDB, an open-source time-series SQL database, has a privilege escalation vulnerability in versions
2.8.0 through 2.9.2. During installation, TimescaleDB creates a telemetry job that is runs as the
installation user. The queries run as part of the telemetry data collection were not run with a locked
down `search_path`, allowing malicious users to create functions that would be executed by the telemetry
job, leading to privilege escalation. In order to be able to take advantage of this vulnerability, a user
would need to be able to create objects in a database and then get a superuser to install TimescaleDB into
their database. When TimescaleDB is installed as trusted extension, non-superusers can install the
extension without help from a superuser. Version 2.9.3 fixes this issue. As a mitigation, the
`search_path` of the user running the telemetry job can be locked down to not include schemas writable by
other users. The vulnerability is not exploitable on instances in Timescale Cloud and Managed Service for
TimescaleDB due to additional security provisions in place on those platforms. (CVE-2023-25149)

See Also

https://security.alpinelinux.org/vuln/CVE-2023-25149

Plugin Details

Severity: High

ID: 406503

Version: Revision 1.31

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-25149

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/14/2023

Reference Information

CVE: CVE-2023-25149