CVE-2024-10976

CVSS 3.1 Score 4.2 of 10 (medium)

Details

Published Nov 14, 2024
Updated: Nov 15, 2024
CWE ID 1250

Summary

CVE-2024-10976 is a new vulnerability affecting PostgreSQL databases. Incomplete tracking of tables with row security leads to potentially incorrect policies being applied when a query is planned under one role and executed under another. This can result in unintended reads or modifications, even if the original query was forbidden. This issue is distinct from CVE-2023-2455 and CVE-2016-2193, as it pertains to queries that involve subqueries, WITH queries, security invoker views, or SQL-language functions referencing tables with row-level security policies. PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are vulnerable to this attack, which requires an attacker to tailor their attack to a specific application's pattern of query plan reuse, user ID changes, and role-specific row security policies.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • PostgreSQL

Affected Vendors

  • PostgreSQL Global Development Group