DEBIAN-CVE-2024-0985

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2024-0985
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2024-0985.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2024-0985
Upstream
Published
2024-02-08T13:15:08Z
Modified
2025-09-25T23:29:57.155078Z
Severity
  • 8.0 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

References

Affected packages

Debian:11 / postgresql-13

Package

Name
postgresql-13
Purl
pkg:deb/debian/postgresql-13?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
13.14-0+deb11u1

Affected versions

13.*

13.3-1
13.4-0+deb11u1
13.4-1
13.4-2
13.4-3
13.5-0+deb11u1
13.7-0+deb11u1
13.8-0+deb11u1
13.9-0+deb11u1
13.10-0+deb11u1
13.11-0+deb11u1
13.12-0+deb11u1
13.13-0+deb11u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / postgresql-15

Package

Name
postgresql-15
Purl
pkg:deb/debian/postgresql-15?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
15.6-0+deb12u1

Affected versions

15.*

15.3-0+deb12u1
15.3-1
15.4-0+deb12u1
15.4-1
15.4-2
15.4-3
15.5-0+deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}