CVE-2024-0985

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-0985
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-0985.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-0985
Aliases
Downstream
Related
Published
2024-02-08T13:15:08.927Z
Modified
2026-02-05T08:13:50.195842Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

References

Affected packages

Git / git.postgresql.org/git/postgresql.git

Affected ranges

Type
GIT
Repo
https://git.postgresql.org/git/postgresql.git
Events
Introduced
ad1f2885b8c82e0c2d56d7974f012cbecce17a17
Fixed
3ba17930941ea629b2ffb5cd252f3055d4d4a9a6

Affected versions

Other
REL_12_0
REL_12_1
REL_12_10
REL_12_11
REL_12_12
REL_12_13
REL_12_14
REL_12_15
REL_12_16
REL_12_17
REL_12_2
REL_12_3
REL_12_4
REL_12_5
REL_12_6
REL_12_7
REL_12_8
REL_12_9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-0985.json"