CVE-2024-0985

Name
CVE-2024-0985
Description
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 https://www.postgresql.org/support/security/CVE-2024-0985/
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 https://saites.dev/projects/personal/postgres-cve-2024-0985/
af854a3a-2127-422b-91ae-364da2661108 https://security.netapp.com/advisory/ntap-20241220-0005/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 12.0 < 12.18
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 13.0 < 13.14
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 14.0 < 14.11
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 15.0 < 15.6

Vulnerable and fixed packages

Source package Branch Version Maintainer Status