UBUNTU-CVE-2024-10976

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2024-10976

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2024/UBUNTU-CVE-2024-10976.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2024-10976

Related

CVE-2024-10976

Published

2024-11-14T13:15:00Z

Modified

2024-11-20T12:27:39Z

Summary

[none]

Details

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

References

Affected packages

Ubuntu:Pro:14.04:LTS / postgresql-9.3

Package

Name: postgresql-9.3
Purl: pkg:deb/ubuntu/postgresql-9.3?arch=src?distro=trusty/esm

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.3.1-1

9.3.2-1

9.3.2-1ubuntu1

9.3.2-1ubuntu2

9.3.3-1

9.3.3-1bzr1

9.3.3-1bzr2

9.3.4-1

9.3.5-0ubuntu0.14.04.1

9.3.6-0ubuntu0.14.04

9.3.7-0ubuntu0.14.04

9.3.8-0ubuntu0.4.04

9.3.9-0ubuntu0.14.04

9.3.10-0ubuntu0.14.04

9.3.11-0ubuntu0.14.04

9.3.12-0ubuntu0.14.04

9.3.13-0ubuntu0.14.04

9.3.14-0ubuntu0.14.04

9.3.15-0ubuntu0.14.04

9.3.16-0ubuntu0.14.04

9.3.17-0ubuntu0.14.04

9.3.18-0ubuntu0.14.04.1

9.3.19-0ubuntu0.14.04

9.3.20-0ubuntu0.14.04

9.3.21-0ubuntu0.14.04

9.3.22-0ubuntu0.14.04

9.3.23-0ubuntu0.14.04

9.3.24-0ubuntu0.14.04

9.3.24-0ubuntu0.14.04+esm1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:16.04:LTS / postgresql-9.5

Package

Name: postgresql-9.5
Purl: pkg:deb/ubuntu/postgresql-9.5?arch=src?distro=esm-infra/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

9.*

9.5.0-1

9.5.0-2

9.5.0-3

9.5.1-1

9.5.2-1

9.5.3-0ubuntu0.16.04

9.5.4-0ubuntu0.16.04

9.5.5-0ubuntu0.16.04

9.5.6-0ubuntu0.16.04

9.5.7-0ubuntu0.16.04

9.5.8-0ubuntu0.16.04.1

9.5.9-0ubuntu0.16.04

9.5.10-0ubuntu0.16.04

9.5.11-0ubuntu0.16.04

9.5.12-0ubuntu0.16.04

9.5.13-0ubuntu0.16.04

9.5.14-0ubuntu0.16.04

9.5.16-0ubuntu0.16.04.1

9.5.17-0ubuntu0.16.04.1

9.5.18-0ubuntu0.16.04.1

9.5.19-0ubuntu0.16.04.1

9.5.21-0ubuntu0.16.04.1

9.5.23-0ubuntu0.16.04.1

9.5.24-0ubuntu0.16.04.1

9.5.25-0ubuntu0.16.04.1

9.5.25-0ubuntu0.16.04.1+esm1

9.5.25-0ubuntu0.16.04.1+esm2

9.5.25-0ubuntu0.16.04.1+esm3

9.5.25-0ubuntu0.16.04.1+esm4

9.5.25-0ubuntu0.16.04.1+esm5

9.5.25-0ubuntu0.16.04.1+esm6

9.5.25-0ubuntu0.16.04.1+esm7

9.5.25-0ubuntu0.16.04.1+esm8

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / postgresql-10

Package

Name: postgresql-10
Purl: pkg:deb/ubuntu/postgresql-10?arch=src?distro=esm-infra/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

10.*

10.1-1

10.1-2

10.2-1

10.3-1

10.4-0ubuntu0.18.04

10.5-0ubuntu0.18.04

10.6-0ubuntu0.18.04.1

10.7-0ubuntu0.18.04.1

10.8-0ubuntu0.18.04.1

10.9-0ubuntu0.18.04.1

10.10-0ubuntu0.18.04.1

10.12-0ubuntu0.18.04.1

10.14-0ubuntu0.18.04.1

10.15-0ubuntu0.18.04.1

10.16-0ubuntu0.18.04.1

10.17-0ubuntu0.18.04.1

10.18-0ubuntu0.18.04.1

10.19-0ubuntu0.18.04.1

10.20-0ubuntu0.18.04.1

10.21-0ubuntu0.18.04.1

10.22-0ubuntu0.18.04.1

10.23-0ubuntu0.18.04.1

10.23-0ubuntu0.18.04.2

10.23-0ubuntu0.18.04.2+esm1

10.23-0ubuntu0.18.04.2+esm2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / postgresql-12

Package

Name: postgresql-12
Purl: pkg:deb/ubuntu/postgresql-12?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

12.*

12.0-1

12.1-1

12.1-2build1

12.2-1

12.2-1ubuntu2

12.2-4

12.4-0ubuntu0.20.04.1

12.5-0ubuntu0.20.04.1

12.6-0ubuntu0.20.04.1

12.7-0ubuntu0.20.04.1

12.8-0ubuntu0.20.04.1

12.9-0ubuntu0.20.04.1

12.10-0ubuntu0.20.04.1

12.11-0ubuntu0.20.04.1

12.12-0ubuntu0.20.04.1

12.13-0ubuntu0.20.04.1

12.14-0ubuntu0.20.04.1

12.15-0ubuntu0.20.04.1

12.16-0ubuntu0.20.04.1

12.17-0ubuntu0.20.04.1

12.18-0ubuntu0.20.04.1

12.19-0ubuntu0.20.04.1

12.20-0ubuntu0.20.04.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / postgresql-14

Package

Name: postgresql-14
Purl: pkg:deb/ubuntu/postgresql-14?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

14.*

14.1-1ubuntu1

14.2-1

14.2-1ubuntu1

14.3-0ubuntu0.22.04.1

14.4-0ubuntu0.22.04.1

14.5-0ubuntu0.22.04.1

14.6-0ubuntu0.22.04.1

14.7-0ubuntu0.22.04.1

14.8-0ubuntu0.22.04.1

14.9-0ubuntu0.22.04.1

14.10-0ubuntu0.22.04.1

14.11-0ubuntu0.22.04.1

14.12-0ubuntu0.22.04.1

14.13-0ubuntu0.22.04.1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / postgresql-16

Package

Name: postgresql-16
Purl: pkg:deb/ubuntu/postgresql-16?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

16.*

16.2-1ubuntu4

16.3-1

16.4-1

16.4-1build1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / postgresql-16

Package

Name: postgresql-16
Purl: pkg:deb/ubuntu/postgresql-16?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

16.*

16.0-2

16.1-1

16.1-1build1

16.1-1build3

16.2-1

16.2-1ubuntu2

16.2-1ubuntu3

16.2-1ubuntu4

16.3-0ubuntu0.24.04.1

16.4-0ubuntu0.24.04.1

16.4-0ubuntu0.24.04.2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}