CVE-2024-0985

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 16.2 PostgreSQL versions prior to 15.6 PostgreSQL versions prior to 14.11 PostgreSQL versions prior to 13.14 PostgreSQL versions prior to 12.18

Description The issue is related to a late privilege drop in the REFRESH MATERIALIZED VIEW CONCURRENTLY function of PostgreSQL, allowing an object creator to execute arbitrary SQL functions as the command issuer. This could enable the execution of malicious code with elevated privileges, potentially leading to data breaches and further compromise. The command is intended to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. The victim is typically a superuser or a member of one of the attacker's roles.

Recommendations For versions prior to 16.2, update to version 16.2 or later. For versions prior to 15.6, update to version 15.6 or later. For versions prior to 14.11, update to version 14.11 or later. For versions prior to 13.14, update to version 13.14 or later. For versions prior to 12.18, update to version 12.18 or later. As a temporary workaround, consider restricting access to the REFRESH MATERIALIZED VIEW CONCURRENTLY function until a patch is applied.