CVE-2024-0985

CVSS V2 None CVSS V3 None

Description

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Overview

CVE ID
CVE-2024-0985

Assigner
PostgreSQL

Vulnerability Status
PUBLISHED

Published Version
2024-02-08T13:00:02.411Z

Last Modified Date
2024-06-19T23:33:54.806Z

Weakness Enumerations

CWE	URL
CWE-271	http://cwe.mitre.org/data/definitions/271.html

References

Reference URL	Reference Tags
https://www.postgresql.org/support/security/CVE-2024-0985/
https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html

Sources

Source Name	Source URL
NIST	https://nvd.nist.gov/vuln/detail/CVE-2024-0985
MITRE	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0985

History

Created	Old Value	New Value	Data Type	Notes
2024-06-26 09:34:02				Added to TrackCVE