CVE-2024-0985 (GCVE-0-2024-0985)
Vulnerability from cvelistv5
Published
2024-02-08 13:00
Modified
2025-06-13 15:09
Severity ?
8.0 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE
  • CWE-271 - Privilege Dropping / Lowering Errors
Summary
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
References
Impacted products
Vendor Product Version
n/a PostgreSQL Version: 16   < 16.2
Version: 15   < 15.6
Version: 14   < 14.11
Version: 13   < 13.14
Version: 0   < 12.18
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-12-20T13:06:41.461Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.postgresql.org/support/security/CVE-2024-0985/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://saites.dev/projects/personal/postgres-cve-2024-0985/"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20241220-0005/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-0985",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-02-16T05:00:50.348714Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T15:09:30.114Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "16.2",
              "status": "affected",
              "version": "16",
              "versionType": "rpm"
            },
            {
              "lessThan": "15.6",
              "status": "affected",
              "version": "15",
              "versionType": "rpm"
            },
            {
              "lessThan": "14.11",
              "status": "affected",
              "version": "14",
              "versionType": "rpm"
            },
            {
              "lessThan": "13.14",
              "status": "affected",
              "version": "13",
              "versionType": "rpm"
            },
            {
              "lessThan": "12.18",
              "status": "affected",
              "version": "0",
              "versionType": "rpm"
            }
          ]
        }
      ],
      "configurations": [
        {
          "lang": "en",
          "value": "attacker has permission to create non-temporary objects in at least one schema"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Pedro Gallegos for reporting this problem."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-271",
              "description": "Privilege Dropping / Lowering Errors",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-10T17:13:47.434Z",
        "orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "shortName": "PostgreSQL"
      },
      "references": [
        {
          "url": "https://www.postgresql.org/support/security/CVE-2024-0985/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"
        },
        {
          "url": "https://saites.dev/projects/personal/postgres-cve-2024-0985/"
        }
      ],
      "title": "PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL",
      "workarounds": [
        {
          "lang": "en",
          "value": "Use REFRESH MATERIALIZED VIEW without CONCURRENTLY."
        },
        {
          "lang": "en",
          "value": "In a new database connection, authenticate as the materialized view owner."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
    "assignerShortName": "PostgreSQL",
    "cveId": "CVE-2024-0985",
    "datePublished": "2024-02-08T13:00:02.411Z",
    "dateReserved": "2024-01-27T20:47:02.113Z",
    "dateUpdated": "2025-06-13T15:09:30.114Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://www.postgresql.org/support/security/CVE-2024-0985/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://saites.dev/projects/personal/postgres-cve-2024-0985/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20241220-0005/\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-12-20T13:06:41.461Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-0985\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-02-16T05:00:50.348714Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-06-13T15:09:26.424Z\"}}], \"cna\": {\"title\": \"PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL\", \"credits\": [{\"lang\": \"en\", \"value\": \"The PostgreSQL project thanks Pedro Gallegos for reporting this problem.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"version\": \"3.1\", \"baseScore\": 8, \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H\"}}], \"affected\": [{\"vendor\": \"n/a\", \"product\": \"PostgreSQL\", \"versions\": [{\"status\": \"affected\", \"version\": \"16\", \"lessThan\": \"16.2\", \"versionType\": \"rpm\"}, {\"status\": \"affected\", \"version\": \"15\", \"lessThan\": \"15.6\", \"versionType\": \"rpm\"}, {\"status\": \"affected\", \"version\": \"14\", \"lessThan\": \"14.11\", \"versionType\": \"rpm\"}, {\"status\": \"affected\", \"version\": \"13\", \"lessThan\": \"13.14\", \"versionType\": \"rpm\"}, {\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"12.18\", \"versionType\": \"rpm\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.postgresql.org/support/security/CVE-2024-0985/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html\"}, {\"url\": \"https://saites.dev/projects/personal/postgres-cve-2024-0985/\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Use REFRESH MATERIALIZED VIEW without CONCURRENTLY.\"}, {\"lang\": \"en\", \"value\": \"In a new database connection, authenticate as the materialized view owner.\"}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-271\", \"description\": \"Privilege Dropping / Lowering Errors\"}]}], \"configurations\": [{\"lang\": \"en\", \"value\": \"attacker has permission to create non-temporary objects in at least one schema\"}], \"providerMetadata\": {\"orgId\": \"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\", \"shortName\": \"PostgreSQL\", \"dateUpdated\": \"2024-07-10T17:13:47.434Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-0985\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-06-13T15:09:30.114Z\", \"dateReserved\": \"2024-01-27T20:47:02.113Z\", \"assignerOrgId\": \"f86ef6dc-4d3a-42ad-8f28-e6d5547a5007\", \"datePublished\": \"2024-02-08T13:00:02.411Z\", \"assignerShortName\": \"PostgreSQL\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.