AZL-35111

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35111.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-35111

Upstream

CVE-2024-0985

Published

2024-02-08T13:15:08Z

Modified

2026-04-21T04:27:50.199762Z

Severity

8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CVE-2024-0985 affecting package postgresql for versions less than 16.3-1

Details

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Affected packages

Azure Linux:3 / postgresql

Package

Name: postgresql
Purl: pkg:rpm/azure-linux/postgresql

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.3-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-35111.json"