Strix
26.1K

CVE-2024-10978

MEDIUMCVSS 4.2/10EPSS 0.70%

Last modified

CVE-2024-10978 is a medium-severity vulnerability rated 4.2/10 on the CVSS scale. Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. EPSS estimates a 0.70% chance of exploitation in the next 30 days.

Description

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Metrics

CVSS 3.1
4.2/10

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS Probability
0.70%

48.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
PostgresqlPostgresql>= 12.0, < 12.21
PostgresqlPostgresql>= 13.0, < 13.17
PostgresqlPostgresql>= 14.0, < 14.14
PostgresqlPostgresql>= 15.0, < 15.9
PostgresqlPostgresql>= 16.0, < 16.5
PostgresqlPostgresql17.0
DebianDebian Linux11.0

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2024-10978?
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
How severe is CVE-2024-10978?
CVE-2024-10978 has a CVSS score of 4.2/10 (MEDIUM severity). The EPSS model estimates a 0.70% probability of exploitation in the next 30 days.
How do I fix CVE-2024-10978?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-10978?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST