CVE-2024-2338

Name of the Vulnerable Software and Affected Versions PostgreSQL Anonymizer version 1.2

Description The issue is related to a SQL injection vulnerability in PostgreSQL Anonymizer. This vulnerability allows a user who owns a table to elevate their privileges to superuser when dynamic masking is enabled. The problem arises from a flaw that permits complex expressions to be provided as a value, which is later used to create masked views, leading to SQL injection. If dynamic masking is enabled, this results in privilege escalation to superuser after the label is created. Users who do not own a table, especially masked users, cannot exploit this vulnerability.

Recommendations For PostgreSQL Anonymizer version 1.2, update to version 1.3 to resolve the issue. As a temporary workaround, consider disabling dynamic masking until the update is applied. Restrict access to table ownership to minimize the risk of exploitation. Avoid using complex expressions as values for security labels until the issue is resolved.