CVE-2024-0985

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

History

10 Jul 2024, 18:15

Type Values Removed Values Added
References
  • () https://saites.dev/projects/personal/postgres-cve-2024-0985/ -

20 Jun 2024, 00:15

Type Values Removed Values Added
Summary (en) Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability. (en) Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

18 Mar 2024, 17:15

Type Values Removed Values Added
References
  • () https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html -

15 Feb 2024, 15:23

Type Values Removed Values Added
References () https://www.postgresql.org/support/security/CVE-2024-0985/ - () https://www.postgresql.org/support/security/CVE-2024-0985/ - Vendor Advisory
CWE NVD-CWE-noinfo
Summary
  • (es) La caída tardía de privilegios en ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en PostgreSQL permite a un creador de objetos ejecutar funciones SQL arbitrarias como emisor de comandos. El comando pretende ejecutar funciones SQL como propietario de la vista materializada, lo que permite una actualización segura de vistas materializadas que no son de confianza. La víctima es un superusuario o miembro de uno de los roles del atacante. El ataque requiere atraer a la víctima para que ejecute ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en la vista materializada del atacante. Como parte de la explotación de esta vulnerabilidad, el atacante crea funciones que utilizan CREATE RULE para convertir la tabla temporal creada internamente en una vista. Las versiones anteriores a PostgreSQL 15.6, 14.11, 13.14 y 12.18 se ven afectadas. El único exploit conocido no funciona en PostgreSQL 16 y posteriores. Para una defensa en profundidad, PostgreSQL 16.2 agrega las protecciones que utilizan las ramas más antiguas para corregir su vulnerabilidad.
CPE cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
First Time Postgresql postgresql
Postgresql

08 Feb 2024, 13:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-02-08 13:15

Updated : 2024-07-10 18:15


NVD link : CVE-2024-0985

Mitre link : CVE-2024-0985

CVE.ORG link : CVE-2024-0985


JSON object : View

Products Affected

postgresql

  • postgresql
CWE
NVD-CWE-noinfo CWE-271

Privilege Dropping / Lowering Errors