// For flags

CVE-2024-0985

PostgreSQL non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

Severity Score

8.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

La caída tardía de privilegios en ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en PostgreSQL permite a un creador de objetos ejecutar funciones SQL arbitrarias como emisor de comandos. El comando pretende ejecutar funciones SQL como propietario de la vista materializada, lo que permite una actualización segura de vistas materializadas que no son de confianza. La víctima es un superusuario o miembro de uno de los roles del atacante. El ataque requiere atraer a la víctima para que ejecute ACTUALIZAR VISTA MATERIALIZADA CONCURRENTE en la vista materializada del atacante. Como parte de la explotación de esta vulnerabilidad, el atacante crea funciones que utilizan CREATE RULE para convertir la tabla temporal creada internamente en una vista. Las versiones anteriores a PostgreSQL 15.6, 14.11, 13.14 y 12.18 se ven afectadas. El único exploit conocido no funciona en PostgreSQL 16 y posteriores. Para una defensa en profundidad, PostgreSQL 16.2 agrega las protecciones que utilizan las ramas más antiguas para corregir su vulnerabilidad.

A flaw was found in PostgreSQL. A late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL can allow an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling a safe refresh of untrusted materialized views. The attack requires luring the victim, a superuser or member of one of the attacker's roles, into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view.

*Credits: The PostgreSQL project thanks Pedro Gallegos for reporting this problem.
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2024-01-27 CVE Reserved
  • 2024-02-08 CVE Published
  • 2024-07-11 EPSS Updated
  • 2024-08-01 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-271: Privilege Dropping / Lowering Errors
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Postgresql
Search vendor "Postgresql"
Postgresql
Search vendor "Postgresql" for product "Postgresql"
>= 12.0 < 12.18
Search vendor "Postgresql" for product "Postgresql" and version " >= 12.0 < 12.18"
-
Affected
Postgresql
Search vendor "Postgresql"
Postgresql
Search vendor "Postgresql" for product "Postgresql"
>= 13.0 < 13.14
Search vendor "Postgresql" for product "Postgresql" and version " >= 13.0 < 13.14"
-
Affected
Postgresql
Search vendor "Postgresql"
Postgresql
Search vendor "Postgresql" for product "Postgresql"
>= 14.0 < 14.11
Search vendor "Postgresql" for product "Postgresql" and version " >= 14.0 < 14.11"
-
Affected
Postgresql
Search vendor "Postgresql"
Postgresql
Search vendor "Postgresql" for product "Postgresql"
>= 15.0 < 15.6
Search vendor "Postgresql" for product "Postgresql" and version " >= 15.0 < 15.6"
-
Affected