{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-0985", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2024-01-27T20:47:02.113Z", "datePublished": "2024-02-08T13:00:02.411Z", "dateUpdated": "2024-08-01T18:26:30.364Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2024-06-19T23:33:54.806Z"}, "title": "PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL", "descriptions": [{"lang": "en", "value": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "16.2", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.6", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.11", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.14", "status": "affected", "version": "13", "versionType": "rpm"}, {"lessThan": "12.18", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-271", "type": "CWE", "description": "Privilege Dropping / Lowering Errors"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-0985/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"}, {"url": "https://saites.dev/projects/personal/postgres-cve-2024-0985/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8, "baseSeverity": "HIGH"}}], "configurations": [{"lang": "en", "value": "attacker has permission to create non-temporary objects in at least one schema"}], "workarounds": [{"lang": "en", "value": "Use REFRESH MATERIALIZED VIEW without CONCURRENTLY."}, {"lang": "en", "value": "In a new database connection, authenticate as the materialized view owner."}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Pedro Gallegos for reporting this problem."}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T18:26:30.364Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-0985/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html", "tags": ["x_transferred"]}, {"url": "https://saites.dev/projects/personal/postgres-cve-2024-0985/", "tags": ["x_transferred"]}]}]}, "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "6515DD96-8226-4C7A-9731-75C62F781ADD", "versionEndExcluding": "12.18", "versionStartIncluding": "12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "36C5A43F-5861-460E-912B-BC70C232DEED", "versionEndExcluding": "13.14", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "170AC44C-3970-46BF-8071-4B29F5EF20F3", "versionEndExcluding": "14.11", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "AF8DDD13-1879-4298-855A-F2FC236CB846", "versionEndExcluding": "15.6", "versionStartIncluding": "15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected."}, {"lang": "es", "value": "La ca\u00edda tard\u00eda de privilegios en ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en PostgreSQL permite a un creador de objetos ejecutar funciones SQL arbitrarias como emisor de comandos. El comando pretende ejecutar funciones SQL como propietario de la vista materializada, lo que permite una actualizaci\u00f3n segura de vistas materializadas que no son de confianza. La v\u00edctima es un superusuario o miembro de uno de los roles del atacante. El ataque requiere atraer a la v\u00edctima para que ejecute ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en la vista materializada del atacante. Como parte de la explotaci\u00f3n de esta vulnerabilidad, el atacante crea funciones que utilizan CREATE RULE para convertir la tabla temporal creada internamente en una vista. Las versiones anteriores a PostgreSQL 15.6, 14.11, 13.14 y 12.18 se ven afectadas. El \u00fanico exploit conocido no funciona en PostgreSQL 16 y posteriores. Para una defensa en profundidad, PostgreSQL 16.2 agrega las protecciones que utilizan las ramas m\u00e1s antiguas para corregir su vulnerabilidad."}], "id": "CVE-2024-0985", "lastModified": "2024-07-10T18:15:03.083", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.0, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.9, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}, "published": "2024-02-08T13:15:08.927", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "url": "https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html"}, {"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "url": "https://saites.dev/projects/personal/postgres-cve-2024-0985/"}, {"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Vendor Advisory"], "url": "https://www.postgresql.org/support/security/CVE-2024-0985/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-271"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0956", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:10-8090020240213200157.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:0973", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:15-8090020240209124629.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:0974", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:12-8090020240209130909.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:0975", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:13-8090020240209125046.a75119d5", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:1071", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "postgresql:12-8020020240214021628.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:1422", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "postgresql:10-8020020240229083218.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1071", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "postgresql:12-8020020240214021628.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:1422", "cpe": "cpe:/a:redhat:rhel_tus:8.2", "package": "postgresql:10-8020020240229083218.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Telecommunications Update Service", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1071", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "postgresql:12-8020020240214021628.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:1422", "cpe": "cpe:/a:redhat:rhel_e4s:8.2", "package": "postgresql:10-8020020240229083218.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1195", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "postgresql:12-8040020240214080556.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-03-06T00:00:00Z"}, {"advisory": "RHSA-2024:1429", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "postgresql:10-8040020240226112406.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1437", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "postgresql:13-8040020240222071300.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1195", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "postgresql:12-8040020240214080556.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-03-06T00:00:00Z"}, {"advisory": "RHSA-2024:1429", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "postgresql:10-8040020240226112406.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1437", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "postgresql:13-8040020240222071300.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1195", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "postgresql:12-8040020240214080556.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-03-06T00:00:00Z"}, {"advisory": "RHSA-2024:1429", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "postgresql:10-8040020240226112406.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1437", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "postgresql:13-8040020240222071300.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-03-20T00:00:00Z"}, {"advisory": "RHSA-2024:1070", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "postgresql:12-8060020240214083443.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:1315", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "postgresql:13-8060020240219120118.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:1348", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "postgresql:10-8060020240220155541.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-03-18T00:00:00Z"}, {"advisory": "RHSA-2024:1017", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:15-8080020240220104521.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-02-28T00:00:00Z"}, {"advisory": "RHSA-2024:1069", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:12-8080020240214025906.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-03-04T00:00:00Z"}, {"advisory": "RHSA-2024:1426", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:13-8080020240221110841.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:1428", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:10-8080020240227061409.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-03-19T00:00:00Z"}, {"advisory": "RHSA-2024:0950", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql:15-9030020240209100638.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-02-22T00:00:00Z"}, {"advisory": "RHSA-2024:0951", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql-0:13.14-1.el9_3", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-02-22T00:00:00Z"}, {"advisory": "RHSA-2024:1240", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "postgresql-0:13.14-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2024-03-11T00:00:00Z"}, {"advisory": "RHSA-2024:1241", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "postgresql-0:13.14-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-03-11T00:00:00Z"}, {"advisory": "RHSA-2024:1314", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "postgresql:15-9020020240213145157.rhel9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-03-13T00:00:00Z"}, {"advisory": "RHSA-2024:0988", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql13-postgresql-0:13.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:0990", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql12-postgresql-0:12.18-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-02-26T00:00:00Z"}, {"advisory": "RHSA-2024:0992", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-postgresql10-postgresql-0:10.23-3.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2024-02-26T00:00:00Z"}], "bugzilla": {"description": "postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL", "id": "2263384", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2263384"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.0", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-271", "details": ["Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.", "A flaw was found in PostgreSQL. A late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL can allow an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling a safe refresh of untrusted materialized views. The attack requires luring the victim, a superuser or member of one of the attacker's roles, into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-0985", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:service_registry:2", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat build of Apicurio Registry"}, {"cpe": "cpe:/a:redhat:optaplanner:::el6", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat build of OptaPlanner 8"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "postgresql:16/postgresql", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:debezium:2", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Integration Change Data Capture"}, {"cpe": "cpe:/a:redhat:jboss_data_grid:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat JBoss Data Grid 7"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat JBoss Fuse 7"}], "public_date": "2024-02-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-0985\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-0985"], "statement": "This PostgreSQL vulnerability poses a significant risk due to its potential for unauthorized access and manipulation of data. Essentially, it allows attackers to execute arbitrary SQL functions using the REFRESH MATERIALIZED VIEW CONCURRENTLY command, especially when the victim is a superuser or holds a role within the attacker's control. By luring victims into running this command on a maliciously crafted materialized view, attackers can exploit the system. This could lead to serious consequences, such as data breaches or data corruption, compromising the integrity and confidentiality of the database.", "threat_severity": "Important", "upstream_fix": "postgresql 12.18, postgresql 13.14, postgresql 14.11, postgresql 15.6"}