CVE-2024-10976
CVSS 3.1 Score 4.2 of 10 (medium)
Details
Summary
CVE-2024-10976 is a new vulnerability affecting PostgreSQL databases. Incomplete tracking of tables with row security leads to potentially incorrect policies being applied when a query is planned under one role and executed under another. This can result in unintended reads or modifications, even if the original query was forbidden. This issue is distinct from CVE-2023-2455 and CVE-2016-2193, as it pertains to queries that involve subqueries, WITH queries, security invoker views, or SQL-language functions referencing tables with row-level security policies. PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are vulnerable to this attack, which requires an attacker to tailor their attack to a specific application's pattern of query plan reuse, user ID changes, and role-specific row security policies.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Affected Products
- PostgreSQL
Affected Vendors
- PostgreSQL Global Development Group