Home > Vulnerability Database > CVE-2024-0985

Mend.io Vulnerability Database

CVE-2024-0985

Good to know:

Date: February 8, 2024

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Language: C

Severity Score

8.0

Related Resources (6)

Url: https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html

Url: https://www.postgresql.org/support/security/CVE-2024-0985/

Url: https://security-tracker.debian.org/tracker/CVE-2024-0985

Url: https://saites.dev/projects/personal/postgres-cve-2024-0985/

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Url: https://www.mend.io/vulnerability-database/CVE-2024-0985

Severity Score

8.0

Weakness Type (CWE)

Insufficient Information

NVD-CWE-noinfo

Privilege Dropping / Lowering Errors

CWE-271

Top Fix

Upgrade Version

Upgrade to version REL_12_18,REL_13_14,REL_14_11,REL_15_6,REL_16_2

Learn More

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-0985

Good to know:

Date: February 8, 2024

Language: C

Severity Score

Related Resources (6)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?