CVE-2024-0985
HIGHDescription
Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
Is your site exposed to CVE-2024-0985?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| postgresql | postgresql |
| postgresql | postgresql |
| postgresql | postgresql |
| postgresql | postgresql |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2024-0985? +
How severe is CVE-2024-0985? +
What products are affected by CVE-2024-0985? +
How do I check if I'm vulnerable to CVE-2024-0985? +
Related Vulnerabilities
CloudNativePG is a platform designed to manage PostgreSQL databases within Kubernetes environments. Prior to 1.29.1 and 1.28.3, the CloudNativePG metrics …
Nix is a package manager for Linux and other Unix systems. Builds with Nix 2.30.0 on macOS were executed with …
Screen 5.0.0 when it runs with setuid-root privileges does not drop privileges while operating on a user supplied path. This …
Stalwart Mail Server is an open-source mail server. Prior to version 0.8.0, when using `RUN_AS_USER`, the specified user (and therefore, …
pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In …
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the …