ALPINE-CVE-2024-10976

See a problem?
Please try reporting it to the source first.

Source

https://security.alpinelinux.org/vuln/CVE-2024-10976

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/alpine/ALPINE-CVE-2024-10976.json

JSON Data

https://api.test.osv.dev/v1/vulns/ALPINE-CVE-2024-10976

Upstream

CVE-2024-10976

Published

2024-11-14T13:15:03Z

Modified

2025-09-26T00:35:37.733230Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

References

https://security.alpinelinux.org/vuln/CVE-2024-10976

Affected packages

Alpine:v3.17

postgresql14

Package

Name: postgresql14
Purl: pkg:apk/alpine/postgresql14?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.14-r0

Affected versions

8.*

8.3.5-r0

8.3.7-r0

8.3.7-r1

8.3.7-r2

8.3.7-r3

8.4.0-r0

8.4.0-r1

8.4.0-r2

8.4.1-r0

8.4.1-r1

8.4.2-r0

8.4.2-r1

8.4.3-r0

8.4.3-r1

8.4.3-r2

8.4.3-r3

8.4.4-r0

9.*

9.0.1-r0

9.0.2-r0

9.0.3-r0

9.0.3-r1

9.0.4-r0

9.1.0-r0

9.1.0-r1

9.1.1-r0

9.1.1-r1

9.1.1-r2

9.1.2-r0

9.1.2-r1

9.1.2-r2

9.1.3-r0

9.1.4-r0

9.1.5-r0

9.2.0-r0

9.2.0-r1

9.2.1-r0

9.2.1-r1

9.2.1-r2

9.2.2-r0

9.2.3-r0

9.2.4-r0

9.3.0-r0

9.3.0-r1

9.3.0-r2

9.3.1-r0

9.3.2-r0

9.3.3-r0

9.3.3-r1

9.3.3-r2

9.3.4-r0

9.3.4-r1

9.3.5-r0

9.3.5-r1

9.4.0-r0

9.4.1-r0

9.4.1-r1

9.4.1-r2

9.4.1-r3

9.4.2-r0

9.4.3-r0

9.4.4-r0

9.4.5-r0

9.4.5-r1

9.5.0-r0

9.5.1-r0

9.5.2-r0

9.5.2-r1

9.5.2-r2

9.5.2-r3

9.5.2-r4

9.5.3-r0

9.5.3-r1

9.5.4-r0

9.6.0-r0

9.6.0-r1

9.6.1-r0

9.6.1-r1

9.6.2-r0

9.6.2-r1

9.6.2-r2

9.6.2-r3

9.6.2-r4

9.6.3-r0

9.6.4-r0

9.6.4-r1

9.6.5-r0

9.6.5-r1

10.*

10.0-r0

10.0-r1

10.1-r0

10.1-r1

10.1-r2

10.2-r0

10.3-r0

10.3-r1

10.4-r0

10.5-r0

11.*

11.0-r0

11.0-r1

11.1-r0

11.2-r0

11.2-r1

11.3-r0

11.3-r1

11.3-r2

11.4-r0

11.4-r1

11.5-r0

11.5-r1

11.5-r2

12.*

12.0-r0

12.0-r1

12.1-r0

12.1-r1

12.1-r2

12.2-r0

12.2-r1

12.2-r2

12.2-r3

12.3-r0

12.3-r1

12.3-r2

12.4-r0

12.4-r1

12.5-r0

12.5-r1

13.*

13.1-r0

13.1-r1

13.1-r2

13.2-r0

13.2-r1

13.2-r2

13.2-r3

13.2-r4

13.3-r0

13.3-r1

13.4-r0

13.4-r1

13.4-r2

14.*

14.0-r0

14.0-r2

14.0-r3

14.0-r4

14.0-r5

14.0-r6

14.1-r0

14.1-r1

14.1-r2

14.1-r3

14.1-r4

14.1-r5

14.1-r6

14.1-r7

14.2-r0

14.2-r1

14.2-r2

14.2-r3

14.3-r0

14.3-r1

14.4-r0

14.4-r1

14.4-r2

14.5-r0

14.5-r1

14.5-r2

14.5-r3

14.6-r0

14.6-r1

14.7-r0

14.8-r0

14.9-r0

14.10-r0

14.11-r0

14.12-r0

14.13-r0

postgresql15

Package

Name: postgresql15
Purl: pkg:apk/alpine/postgresql15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.9-r0

Affected versions

15.*

15.1-r0

15.2-r0

15.3-r0

15.4-r0

15.5-r0

15.6-r0

15.7-r0

15.8-r0

Alpine:v3.18

postgresql14

Package

Name: postgresql14
Purl: pkg:apk/alpine/postgresql14?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.14-r0

Affected versions

8.*

8.3.5-r0

8.3.7-r0

8.3.7-r1

8.3.7-r2

8.3.7-r3

8.4.0-r0

8.4.0-r1

8.4.0-r2

8.4.1-r0

8.4.1-r1

8.4.2-r0

8.4.2-r1

8.4.3-r0

8.4.3-r1

8.4.3-r2

8.4.3-r3

8.4.4-r0

9.*

9.0.1-r0

9.0.2-r0

9.0.3-r0

9.0.3-r1

9.0.4-r0

9.1.0-r0

9.1.0-r1

9.1.1-r0

9.1.1-r1

9.1.1-r2

9.1.2-r0

9.1.2-r1

9.1.2-r2

9.1.3-r0

9.1.4-r0

9.1.5-r0

9.2.0-r0

9.2.0-r1

9.2.1-r0

9.2.1-r1

9.2.1-r2

9.2.2-r0

9.2.3-r0

9.2.4-r0

9.3.0-r0

9.3.0-r1

9.3.0-r2

9.3.1-r0

9.3.2-r0

9.3.3-r0

9.3.3-r1

9.3.3-r2

9.3.4-r0

9.3.4-r1

9.3.5-r0

9.3.5-r1

9.4.0-r0

9.4.1-r0

9.4.1-r1

9.4.1-r2

9.4.1-r3

9.4.2-r0

9.4.3-r0

9.4.4-r0

9.4.5-r0

9.4.5-r1

9.5.0-r0

9.5.1-r0

9.5.2-r0

9.5.2-r1

9.5.2-r2

9.5.2-r3

9.5.2-r4

9.5.3-r0

9.5.3-r1

9.5.4-r0

9.6.0-r0

9.6.0-r1

9.6.1-r0

9.6.1-r1

9.6.2-r0

9.6.2-r1

9.6.2-r2

9.6.2-r3

9.6.2-r4

9.6.3-r0

9.6.4-r0

9.6.4-r1

9.6.5-r0

9.6.5-r1

10.*

10.0-r0

10.0-r1

10.1-r0

10.1-r1

10.1-r2

10.2-r0

10.3-r0

10.3-r1

10.4-r0

10.5-r0

11.*

11.0-r0

11.0-r1

11.1-r0

11.2-r0

11.2-r1

11.3-r0

11.3-r1

11.3-r2

11.4-r0

11.4-r1

11.5-r0

11.5-r1

11.5-r2

12.*

12.0-r0

12.0-r1

12.1-r0

12.1-r1

12.1-r2

12.2-r0

12.2-r1

12.2-r2

12.2-r3

12.3-r0

12.3-r1

12.3-r2

12.4-r0

12.4-r1

12.5-r0

12.5-r1

13.*

13.1-r0

13.1-r1

13.1-r2

13.2-r0

13.2-r1

13.2-r2

13.2-r3

13.2-r4

13.3-r0

13.3-r1

13.4-r0

13.4-r1

13.4-r2

14.*

14.0-r0

14.0-r2

14.0-r3

14.0-r4

14.0-r5

14.0-r6

14.1-r0

14.1-r1

14.1-r2

14.1-r3

14.1-r4

14.1-r5

14.1-r6

14.1-r7

14.2-r0

14.2-r1

14.2-r2

14.2-r3

14.3-r0

14.3-r1

14.4-r0

14.4-r1

14.4-r2

14.5-r0

14.5-r1

14.5-r2

14.5-r3

14.6-r0

14.6-r1

14.7-r0

14.7-r1

14.7-r2

14.7-r3

14.7-r4

14.8-r0

14.9-r0

14.10-r0

14.11-r0

14.12-r0

14.13-r0

postgresql15

Package

Name: postgresql15
Purl: pkg:apk/alpine/postgresql15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.9-r0

Affected versions

15.*

15.1-r0

15.1-r1

15.2-r0

15.2-r1

15.2-r2

15.2-r3

15.2-r4

15.3-r0

15.4-r0

15.5-r0

15.6-r0

15.7-r0

15.8-r0

Alpine:v3.19

postgresql15

Package

Name: postgresql15
Purl: pkg:apk/alpine/postgresql15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.9-r0

Affected versions

15.*

15.1-r0

15.1-r1

15.2-r0

15.2-r1

15.2-r2

15.2-r3

15.2-r4

15.3-r0

15.3-r1

15.4-r0

15.4-r1

15.4-r2

15.5-r0

15.6-r0

15.7-r0

15.8-r0

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.5-r0

Affected versions

16.*

16.0-r0

16.0-r1

16.0-r2

16.1-r0

16.2-r0

16.2-r1

16.3-r0

16.4-r0

Alpine:v3.20

postgresql15

Package

Name: postgresql15
Purl: pkg:apk/alpine/postgresql15?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

15.9-r0

Affected versions

15.*

15.1-r0

15.1-r1

15.2-r0

15.2-r1

15.2-r2

15.2-r3

15.2-r4

15.3-r0

15.3-r1

15.4-r0

15.4-r1

15.4-r2

15.5-r0

15.6-r0

15.6-r1

15.6-r2

15.7-r0

15.8-r0

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.5-r0

Affected versions

16.*

16.0-r0

16.0-r1

16.0-r2

16.1-r0

16.2-r0

16.2-r1

16.2-r2

16.2-r3

16.2-r4

16.3-r0

16.4-r0

Alpine:v3.21

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.5-r0

Affected versions

16.*

16.0-r0

16.0-r1

16.0-r2

16.1-r0

16.2-r0

16.2-r1

16.2-r2

16.2-r3

16.2-r4

16.3-r0

16.3-r1

16.4-r0

16.4-r1

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.1-r0

Affected versions

17.*

17.0-r0

17.0-r1

Alpine:v3.22

postgresql16

Package

Name: postgresql16
Purl: pkg:apk/alpine/postgresql16?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

16.5-r0

Affected versions

16.*

16.0-r0

16.0-r1

16.0-r2

16.1-r0

16.2-r0

16.2-r1

16.2-r2

16.2-r3

16.2-r4

16.3-r0

16.3-r1

16.4-r0

16.4-r1

postgresql17

Package

Name: postgresql17
Purl: pkg:apk/alpine/postgresql17?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

17.1-r0

Affected versions

17.*

17.0-r0

17.0-r1