CVE-2024-0985

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

History

21 Nov 2024, 08:47

Type Values Removed Values Added
References () https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html - () https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html -
References () https://saites.dev/projects/personal/postgres-cve-2024-0985/ - () https://saites.dev/projects/personal/postgres-cve-2024-0985/ -
References () https://www.postgresql.org/support/security/CVE-2024-0985/ - Vendor Advisory () https://www.postgresql.org/support/security/CVE-2024-0985/ - Vendor Advisory

10 Jul 2024, 18:15

Type Values Removed Values Added
References
  • () https://saites.dev/projects/personal/postgres-cve-2024-0985/ -

20 Jun 2024, 00:15

Type Values Removed Values Added
Summary (en) Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. (en) Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

18 Mar 2024, 17:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html -

15 Feb 2024, 15:23

Type Values Removed Values Added
CPE cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.0
CWE NVD-CWE-noinfo
References () https://www.postgresql.org/support/security/CVE-2024-0985/ - () https://www.postgresql.org/support/security/CVE-2024-0985/ - Vendor Advisory
First Time Postgresql
Postgresql postgresql

08 Feb 2024, 13:44

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-08 13:15

Updated : 2024-11-21 08:47


NVD link : CVE-2024-0985

Mitre link : CVE-2024-0985

CVE.ORG link : CVE-2024-0985


JSON object : View

Products Affected

postgresql

  • postgresql
CWE
CWE-271

Privilege Dropping / Lowering Errors

NVD-CWE-noinfo