CVE-2024-10978

14.11.2024, 13:15

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended.  An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature.  The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker.  If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION.  The attacker does not control which incorrect user ID applies.  Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	4.2 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
PostgreSQL	CNA	4.2 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CISA-ADP	ADP	---				---
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
postgresql	postgresql	12.0 ≤ 𝑥 < 12.21
postgresql	postgresql	13.0 ≤ 𝑥 < 13.17
postgresql	postgresql	14.0 ≤ 𝑥 < 14.14
postgresql	postgresql	15.0 ≤ 𝑥 < 15.9
postgresql	postgresql	16.0 ≤ 𝑥 < 16.5
postgresql	postgresql	17.0
postgresql	postgresql	17.0:beta1
postgresql	postgresql	17.0:beta2
postgresql	postgresql	17.0:beta3
postgresql	postgresql	17.0:rc1
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

postgresql-13

bullseye	vulnerable
bullseye (security)	13.21-0+deb11u1 fixed

postgresql-15

bookworm	15.13-0+deb12u1 fixed
bookworm (security)	15.10-0+deb12u1 fixed

postgresql-17

sid	17.5-1 fixed
trixie	17.5-1 fixed

Ubuntu Releases

Ubuntu Product

Codename

postgresql-10

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
bionic	needs-triage

postgresql-12

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	Fixed 12.22-0ubuntu0.20.04.1 released

postgresql-14

plucky	dne
oracular	dne
noble	dne
jammy	Fixed 14.15-0ubuntu0.22.04.1 released
focal	dne

postgresql-16

plucky	dne
oracular	Fixed 16.6-0ubuntu0.24.10.1 released
noble	Fixed 16.6-0ubuntu0.24.04.1 released
jammy	dne
focal	dne

postgresql-17

plucky	not-affected
oracular	dne
noble	dne
jammy	dne
focal	dne

postgresql-9.1

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne

postgresql-9.3

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
trusty	deferred

postgresql-9.5

plucky	dne
oracular	dne
noble	dne
jammy	dne
focal	dne
xenial	Fixed 9.5.25-0ubuntu0.16.04.1+esm10 released

Common Weakness Enumeration

CWE-266 - Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

https://www.postgresql.org/support/security/CVE-2024-10978/

https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html

https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org