CVE-2024-0985

CVSS 3.1 Score 8.0 of 10 (high)

Details

Published Feb 8, 2024

Updated: Jul 10, 2024

CWE ID 271

Summary

CVE-2024-0985 is a newly disclosed vulnerability in PostgreSQL that permits an attacker to execute arbitrary SQL functions with the privileges of the command issuer, despite the intended execution as the materialized view owner. Affected versions include those before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18. This issue arises due to a late privilege drop during the REFRESH MATERIALIZED VIEW CONCURRENTLY process. An attacker can manipulate this by luring a superuser or a member of their role into refreshing a materialized view that the attacker controls, thereby gaining elevated privileges.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

PostgreSQL

Affected Vendors

Postgresql

Advisories, Assessments, and Mitigations

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-0985 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future

Gain complete coverage of your cyber, third party, and physical attack surface
Proactively mitigate threats before they turn into costly attacks
Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database