AZL-34279

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34279.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-34279

Upstream

CVE-2024-0985

Published

2024-02-08T13:15:08Z

Modified

2026-04-21T04:27:05.383479Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-0985 affecting package postgresql for versions less than 14.11-1

Details

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Affected packages

Azure Linux:2 / postgresql

Package

Name: postgresql
Purl: pkg:rpm/azure-linux/postgresql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.11-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-34279.json"