924110 – (CVE-2024-0985) <dev-db/postgresql:{12.19:12,13.14:13,14.11:14,15.6:15,16.2:16}: privilege escalation

Bug 924110 (CVE-2024-0985) - <dev-db/postgresql:{12.19:12,13.14:13,14.11:14,15.6:15,16.2:16}: privilege escalation

Summary: <dev-db/postgresql:{12.19:12,13.14:13,14.11:14,15.6:15,16.2:16}: privilege es...

Status:	CONFIRMED

Alias:	CVE-2024-0985

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://www.postgresql.org/about/news...
Whiteboard:	B3 [glsa? cleanup]
Keywords:

Depends on:	924109
Blocks:
	Show dependency tree

Reported:	2024-02-08 14:54 UTC by Patrick Lauer
Modified:	2024-02-24 10:17 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Patrick Lauer gentoo-dev

2024-02-08 14:54:57 UTC

CVE-2024-0985: PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
CVSS v3 Base Score: 8.0

Supported, Vulnerable Versions: 12 - 15.

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

The PostgreSQL project thanks Pedro Gallegos for reporting this problem.