CVE-2024-10978

EUVD-2024-33376

14.11.2024, 13:15

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended.  An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature.  The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker.  If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION.  The attacker does not control which incorrect user ID applies.  Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	4.2 MEDIUM	NETWORK	HIGH	LOW	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
PostgreSQL	CNA	4.2 MEDIUM				CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 69%

Affected Products (NVD)

Vendor	Product	Version
postgresql	postgresql	12.0 ≤ 𝑥 < 12.21
postgresql	postgresql	13.0 ≤ 𝑥 < 13.17
postgresql	postgresql	14.0 ≤ 𝑥 < 14.14
postgresql	postgresql	15.0 ≤ 𝑥 < 15.9
postgresql	postgresql	16.0 ≤ 𝑥 < 16.5
postgresql	postgresql	17.0
postgresql	postgresql	17.0:beta1
postgresql	postgresql	17.0:beta2
postgresql	postgresql	17.0:beta3
postgresql	postgresql	17.0:rc1
debian	debian_linux	11.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

postgresql-13

bullseye	vulnerable
bullseye (security)	13.23-0+deb11u1 fixed

postgresql-15

bookworm	15.14-0+deb12u1 fixed
bookworm (security)	15.10-0+deb12u1 fixed

postgresql-17

sid	17.6-1 fixed
trixie	17.6-0+deb13u1 fixed

Ubuntu Releases

Ubuntu Product

Codename

postgresql-16

focal	dne
jammy	dne
noble	Fixed 16.6-0ubuntu0.24.04.1 released
oracular	Fixed 16.6-0ubuntu0.24.10.1 released
plucky	dne
questing	dne

postgresql-14

focal	dne
jammy	Fixed 14.15-0ubuntu0.22.04.1 released
noble	dne
oracular	dne
plucky	dne
questing	dne

postgresql-12

focal	Fixed 12.22-0ubuntu0.20.04.1 released
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

postgresql-10

bionic	needs-triage
focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

postgresql-9.5

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
xenial	Fixed 9.5.25-0ubuntu0.16.04.1+esm10 released

postgresql-9.3

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne
trusty	deferred

postgresql-9.1

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	dne
questing	dne

postgresql-17

focal	dne
jammy	dne
noble	dne
oracular	dne
plucky	not-affected
questing	not-affected

Common Weakness Enumeration

CWE-266 - Incorrect Privilege Assignment
A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

References

https://www.postgresql.org/support/security/CVE-2024-10978/

https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html

https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html

https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org