Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 924110 (CVE-2024-0985) - <dev-db/postgresql:{12.19:12,13.14:13,14.11:14,15.6:15,16.2:16}: privilege escalation
Summary: <dev-db/postgresql:{12.19:12,13.14:13,14.11:14,15.6:15,16.2:16}: privilege es...
Alias: CVE-2024-0985
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 924109
  Show dependency tree
Reported: 2024-02-08 14:54 UTC by Patrick Lauer
Modified: 2024-07-20 08:11 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Patrick Lauer gentoo-dev 2024-02-08 14:54:57 UTC
CVE-2024-0985: PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
CVSS v3 Base Score: 8.0

Supported, Vulnerable Versions: 12 - 15.

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

The PostgreSQL project thanks Pedro Gallegos for reporting this problem.