Privilege Escalation in PostgreSQL Affects Multiple Versions
CVE-2024-10978

4.2MEDIUM

Key Information:

Vendor: PostgreSQL Global Development Group
Status: Postgresql
Vendor: CVE Published:; 14 November 2024

Summary

A vulnerability in PostgreSQL arises from incorrect privilege assignments that permit a less-privileged application user to access, view, or alter data that was not intended for them. The issue is particularly significant when applications utilize commands such as SET ROLE or SET SESSION AUTHORIZATION, enabling an attacker to manipulate queries or retrieve information in a manner that circumvents the intended security controls. This vulnerability allows for potential unauthorized modification or exposure of sensitive data when application queries incorporate attacker-controlled parameters or present query results to the attacker. Affected versions include those prior to PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.

References

https://www.postgresql.org/support/security/CVE-2024-10978/

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2024