CVE-2024-1713

A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum.

CVSS v3 7.2 HIGH

7.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.3 / Impact : 5.3

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4	Exploit Third Party Advisory
https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:plv8:plv8:3.2.1:*:*:*:*:*:*:*

History

23 Jan 2025, 19:18

Type	Values Removed	Values Added
CPE		cpe:2.3:a:plv8:plv8:3.2.1:::::::*
References	~~() https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4 -~~	() https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4 - Exploit, Third Party Advisory
First Time		Plv8 Plv8 plv8
CWE		CWE-754

21 Nov 2024, 08:51

Type	Values Removed	Values Added
References	~~() https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4 -~~	() https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4 -
Summary		(es) Un usuario que puede crear objetos en una base de datos con plv8 3.2.1 instalado puede provocar que se ejecuten activadores diferidos como superusuario durante el vacío automático.

14 Mar 2024, 21:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-14 21:15

Updated : 2025-01-23 19:18

NVD link : CVE-2024-1713

Mitre link : CVE-2024-1713

CVE.ORG link : CVE-2024-1713

JSON object : View

Products Affected

plv8

plv8

CWE

CWE-394

Unexpected Status Code or Return Value

CWE-754

Improper Check for Unusual or Exceptional Conditions

{"id": "CVE-2024-1713", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}, "impactScore": 5.3, "exploitabilityScore": 1.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2024-03-14T21:15:50.840", "references": [{"url": "https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4", "tags": ["Exploit", "Third Party Advisory"], "source": "cve-coordination@google.com"}, {"url": "https://github.com/google/security-research/security/advisories/GHSA-r7m9-grw7-vcc4", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-394"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-754"}]}], "descriptions": [{"lang": "en", "value": "A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum.\n"}, {"lang": "es", "value": "Un usuario que puede crear objetos en una base de datos con plv8 3.2.1 instalado puede provocar que se ejecuten activadores diferidos como superusuario durante el vac\u00edo autom\u00e1tico."}], "lastModified": "2025-01-23T19:18:07.843", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:plv8:plv8:3.2.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EFECC643-1F7D-47D7-BA1C-262AC9361E41"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}