CVE-2024-10978

Description

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

How to fix CVE-2024-10978

To remediate CVE-2024-10978, upgrade the affected package to a fixed version below.

• —upgrade to 14.14-r0 or later
• —upgrade to 15.9-r0 or later
• —upgrade to 16.5-r0 or later
• —upgrade to 17.1-r0 or later
• —upgrade to 12.21.0 or later
• —upgrade to 13.17-0+deb11u1 or later
• —upgrade to 15.9-0+deb12u1 or later
• —upgrade to 17.1-1 or later

Is CVE-2024-10978 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 14.14-r0
• from 0, < 15.9-r0
• from 0, < 16.5-r0
• from 0, < 17.1-r0
• from 0, < 12.21.0, >= 13.0.0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• from 0, < 13.17-0+deb11u1
• from 0, < 15.9-0+deb12u1
• from 0, < 17.1-1

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-10978
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-10978
• WEBlists.debian.org/debian-lts-announce/2024/11/msg00011.html
• WEBlists.debian.org/debian-lts-announce/2024/11/msg00018.html