Thanasi

**Name of the Vulnerable Software and Affected Versions** TimescaleDB versions 2.8.0 through 2.9.2 **Description** TimescaleDB has a privilege escalation issue due to the telemetry job running with an unlocked `search path`, allowing malicious users to create functions that would be executed by the telemetry job. To exploit this, a user needs to be able to create objects in a database and then get a superuser to install TimescaleDB into their database. When installed as a trusted extension, non-superusers can install it without help from a superuser. The issue is not exploitable on instances in Timescale Cloud and Managed Service for TimescaleDB due to additional security provisions. **Recommendations** For versions 2.8.0 through 2.9.2, update to version 2.9.3 to fix the issue. As a mitigation, lock down the `search path` of the user running the telemetry job to not include schemas writable by other users.