CVE-2024-2339

Name of the Vulnerable Software and Affected Versions PostgreSQL Anonymizer version 1.2

Description The issue allows a user who owns a table to elevate to superuser by defining a masking function for a column and placing malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed, granting escalated privileges to the malicious user. The restrict to trusted schemas option provides incomplete protection against this risk. Users that don't own a table, especially masked users, cannot exploit this vulnerability. The problem is resolved in version 1.3.

Recommendations For PostgreSQL Anonymizer version 1.2, update to version 1.3 to resolve the issue. As a temporary workaround, consider restricting the use of the masking function for columns to trusted users only, and ensure the restrict to trusted schemas option is properly configured. However, since the protection provided by this option is incomplete, updating to version 1.3 is the recommended solution.