gsd-2024-0985
Vulnerability from gsd
Modified
2024-01-28 06:02
Details
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.
Aliases



{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-0985"
      ],
      "details": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability.",
      "id": "GSD-2024-0985",
      "modified": "2024-01-28T06:02:30.302570Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cna@postgresql.org",
        "ID": "CVE-2024-0985",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "PostgreSQL",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "\u003c",
                          "version_name": "15",
                          "version_value": "15.6"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "14",
                          "version_value": "14.11"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "13",
                          "version_value": "13.14"
                        },
                        {
                          "version_affected": "\u003c",
                          "version_name": "0",
                          "version_value": "12.18"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "configuration": [
        {
          "lang": "en",
          "value": "attacker has permission to create non-temporary objects in at least one schema"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "The PostgreSQL project thanks Pedro Gallegos for reporting this problem."
        }
      ],
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability."
          }
        ]
      },
      "impact": {
        "cvss": [
          {
            "baseScore": 8,
            "baseSeverity": "HIGH",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-271",
                "lang": "eng",
                "value": "Privilege Dropping / Lowering Errors"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.postgresql.org/support/security/CVE-2024-0985/",
            "refsource": "MISC",
            "url": "https://www.postgresql.org/support/security/CVE-2024-0985/"
          },
          {
            "name": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html",
            "refsource": "MISC",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"
          }
        ]
      },
      "work_around": [
        {
          "lang": "en",
          "value": "Use REFRESH MATERIALIZED VIEW without CONCURRENTLY."
        },
        {
          "lang": "en",
          "value": "In a new database connection, authenticate as the materialized view owner."
        }
      ]
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "6515DD96-8226-4C7A-9731-75C62F781ADD",
                    "versionEndExcluding": "12.18",
                    "versionStartIncluding": "12.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "36C5A43F-5861-460E-912B-BC70C232DEED",
                    "versionEndExcluding": "13.14",
                    "versionStartIncluding": "13.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "170AC44C-3970-46BF-8071-4B29F5EF20F3",
                    "versionEndExcluding": "14.11",
                    "versionStartIncluding": "14.0",
                    "vulnerable": true
                  },
                  {
                    "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "AF8DDD13-1879-4298-855A-F2FC236CB846",
                    "versionEndExcluding": "15.6",
                    "versionStartIncluding": "15.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker\u0027s roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker\u0027s materialized view. As part of exploiting this vulnerability, the attacker creates functions that use CREATE RULE to convert the internally-built temporary table to a view. Versions before PostgreSQL 15.6, 14.11, 13.14, and 12.18 are affected. The only known exploit does not work in PostgreSQL 16 and later. For defense in depth, PostgreSQL 16.2 adds the protections that older branches are using to fix their vulnerability."
          },
          {
            "lang": "es",
            "value": "La ca\u00edda tard\u00eda de privilegios en ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en PostgreSQL permite a un creador de objetos ejecutar funciones SQL arbitrarias como emisor de comandos. El comando pretende ejecutar funciones SQL como propietario de la vista materializada, lo que permite una actualizaci\u00f3n segura de vistas materializadas que no son de confianza. La v\u00edctima es un superusuario o miembro de uno de los roles del atacante. El ataque requiere atraer a la v\u00edctima para que ejecute ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en la vista materializada del atacante. Como parte de la explotaci\u00f3n de esta vulnerabilidad, el atacante crea funciones que utilizan CREATE RULE para convertir la tabla temporal creada internamente en una vista. Las versiones anteriores a PostgreSQL 15.6, 14.11, 13.14 y 12.18 se ven afectadas. El \u00fanico exploit conocido no funciona en PostgreSQL 16 y posteriores. Para una defensa en profundidad, PostgreSQL 16.2 agrega las protecciones que utilizan las ramas m\u00e1s antiguas para corregir su vulnerabilidad."
          }
        ],
        "id": "CVE-2024-0985",
        "lastModified": "2024-03-18T17:15:06.070",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.1,
              "impactScore": 5.9,
              "source": "nvd@nist.gov",
              "type": "Primary"
            },
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.0,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "exploitabilityScore": 2.1,
              "impactScore": 5.9,
              "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
              "type": "Secondary"
            }
          ]
        },
        "published": "2024-02-08T13:15:08.927",
        "references": [
          {
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"
          },
          {
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "tags": [
              "Vendor Advisory"
            ],
            "url": "https://www.postgresql.org/support/security/CVE-2024-0985/"
          }
        ],
        "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "NVD-CWE-noinfo"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-271"
              }
            ],
            "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.