unauthorized escalated privileges in PostgreSQL (CVE-2024-4317) #shorts #breaking

CVE

Today, we're discussing a newly identified security issue in PostgreSQL, an open-source relational database. This zero-day vulnerability, labelled CVE-2024-4317, allows unauthorized users to gain escalated privileges. Specifically, it affects versions up to 14.11, 15.6, and 16.2 of PostgreSQL. By exploiting this weakness, attackers can gain higher-level permissions and access data that should be restricted. This is a crucial concern for administrators managing these versions of PostgreSQL. Understanding this vulnerability helps in recognizing the potential risks and areas that need monitoring.

Watch the full video on YouTube: CVE-2024-4317

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-4317
Description
Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Provider
PostgreSQL
CWE / problem types
Missing Authorization
Affected Software Versions
n/a:PostgreSQL:[{'lessThan': '16.3', 'status': 'affected', 'version': '16', 'versionType': 'rpm'}, {'lessThan': '15.7', 'status': 'affected', 'version': '15', 'versionType': 'rpm'}, {'lessThan': '14.12', 'status': 'affected', 'version': '14', 'versionType': 'rpm'}]
Date Published
2024-05-09T13:00:01.285Z
Last Updated
2025-03-28T15:03:02.067Z