FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL

Affected packages
postgresql-server < 15.6
postgresql-server < 14.11
postgresql-server < 13.14
postgresql-server < 12.18

Details

VuXML ID 19e6dd1b-c6a5-11ee-9cd0-6cc21735f730
Discovery 2024-02-08
Entry 2024-02-08

PostgreSQL Project reports:

One step of a concurrent refresh command was run under weak security restrictions. If a materialized view's owner could persuade a superuser or other high-privileged user to perform a concurrent refresh on that view, the view's owner could control code executed with the privileges of the user running REFRESH. The fix for the vulnerability makes is so that all user-determined code is run as the view's owner, as expected.

[source]

References

CVE Name CVE-2024-0985
URL https://www.postgresql.org/support/security/CVE-2024-0985/

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.