Row Security Issues in PostgreSQL Affecting Multiple Versions
CVE-2024-10976

4.2MEDIUM

Key Information:

Vendor

PostgreSQL
Status
Postgresql
Vendor
CVE Published:
14 November 2024

What is CVE-2024-10976?

The vulnerability arises from incomplete tracking in PostgreSQL regarding tables that utilize row-level security. It enables attackers to manipulate reused queries in a way that they can access or alter unintended data. Specifically, when applications define row security policies using CREATE POLICY, incorrect role-specific policies might be applied during query execution under alternate user roles. This could allow unauthorized data reads or modifications, particularly in scenarios involving security definer functions or shared user queries reused across multiple roles. The vulnerability impacts numerous PostgreSQL versions prior to the specified updates, underscoring the importance of implementing the necessary patches to maintain data integrity and security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

PostgreSQL 17 < 17.1

PostgreSQL 16 < 16.5

PostgreSQL 15 < 15.9

References

https://www.postgresql.org/support/security/CVE-2024-10976/

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

JSON
.