Late Privilege Drop Vulnerability in PostgreSQL Allows Arbitrary SQL Execution
CVE-2024-0985
Summary
A late privilege drop vulnerability in the REFRESH MATERIALIZED VIEW CONCURRENTLY command of PostgreSQL can be exploited by an object creator to execute arbitrary SQL functions under the privileges of the command issuer. This vulnerability compromises the intended safety of refreshing untrusted materialized views, placing superusers or users with assigned roles at risk if they are manipulated into executing specific commands on the attacker's materialized view. Versions of PostgreSQL prior to 16.2, 15.6, 14.11, 13.14, and 12.18 may be particularly vulnerable, necessitating immediate security measures for affected installations.
Affected Version(s)
PostgreSQL 16 < 16.2
PostgreSQL 15 < 15.6
PostgreSQL 14 < 14.11
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
OP InnovateCVE-2024-0985CVE-2024-0985: A Critical Security Vulnerability in PostgreSQL - OP INNOVATE
CVE-2024-0985 poses a critical risk to PostgreSQL versions 12-15, allowing elevated privilege attacks via specific operations. Immediate upgrade to patched versions (12.18, 13.14, 14.11, 15.6) is crucial. Exercise caution with untrusted materialized views to mitigate potential data breaches.
securityonline.infoCVE-2024-0985CVE-2024-0985: PostgreSQL's Critical Security Flaw Exposed
This vulnerability, designated CVE-2024-0985 (CVSS 8.0), could allow attackers to execute malicious code with elevated privileges
References
CVSS V3.1
Timeline
- 📰
First article discovered by securityonline.info
Vulnerability published
Vulnerability Reserved