Row Security Issues in PostgreSQL Affecting Multiple Versions

CVE-2024-10976

Summary

The vulnerability arises from incomplete tracking in PostgreSQL regarding tables that utilize row-level security. It enables attackers to manipulate reused queries in a way that they can access or alter unintended data. Specifically, when applications define row security policies using CREATE POLICY, incorrect role-specific policies might be applied during query execution under alternate user roles. This could allow unauthorized data reads or modifications, particularly in scenarios involving security definer functions or shared user queries reused across multiple roles. The vulnerability impacts numerous PostgreSQL versions prior to the specified updates, underscoring the importance of implementing the necessary patches to maintain data integrity and security.

References