CVE-2024-10978 — Incorrect Privilege Assignment in Postgresql
Severity
4.2MEDIUMNVD
OSV5.4
EPSS
0.6%
top 30.12%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 14
Latest updateMar 19
Description
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not us…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5
Affected Packages9 packages
Also affects: Debian Linux 11.0
🔴Vulnerability Details
4OSV▶
CVE-2024-10978: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended↗2024-11-14
GHSA▶
GHSA-37v9-jh5m-f5pg: Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended↗2024-11-14
📋Vendor Advisories
5Red Hat
▶
Debian▶
CVE-2024-10978: postgresql-13 - Incorrect privilege assignment in PostgreSQL allows a less-privileged applicatio...↗2024