CVE-2024-0985: PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL CVSS v3 Base Score: 8.0 Supported, Vulnerable Versions: 12 - 15. One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected. The PostgreSQL project thanks Pedro Gallegos for reporting this problem.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 commit 7240eff2e6b5c1e8d1af9a65cfa3c6c31e355595 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-08-07 08:28:46 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-08-07 08:29:00 +0000 [ GLSA 202408-06 ] PostgreSQL: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/903193 Bug: https://bugs.gentoo.org/912251 Bug: https://bugs.gentoo.org/917153 Bug: https://bugs.gentoo.org/924110 Bug: https://bugs.gentoo.org/931849 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202408-06.xml | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+)
