CVE-2024-4317Missing Authorization in Postgresql

CWE-862Missing Authorization7 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.2%
top 58.69%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
6
PostgresqlDebian Postgresql-13Debian Postgresql-15+3 more
Timeline
PublishedMay 14
Latest updateMay 30

Description

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installin

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages7 packages

debiandebian/postgresql-13< postgresql-15 15.7-0+deb12u1 (bookworm)
debiandebian/postgresql-15< postgresql-15 15.7-0+deb12u1 (bookworm)
CVEListV5postgresql/postgresql1616.3+2
NVDpostgresql/postgresql14.014.12+2

🔴Vulnerability Details

2
GHSA
GHSA-37xw-rpjg-xxfx: Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values2024-05-14
OSV
CVE-2024-4317: Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values2024-05-14

📋Vendor Advisories

4
Ubuntu
PostgreSQL vulnerability2024-05-30
Microsoft
PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks2024-05-14
Red Hat
postgresql: PostgreSQL pg_stats_ext and pg_stats_ext_exprs lack authorization checks2024-05-09
Debian
CVE-2024-4317: postgresql-13 - Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext...2024