VulnerableCode Package Details - pkg:deb/debian/postgresql-11@11.16-0%2Bdeb10u1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1av1-tagn-aaan Aliases: CVE-2024-0985	Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.	There are no reported fixed by versions.
VCID-1x7h-y79g-aaam Aliases: CVE-2023-5869	postgresql: Buffer overrun from integer overflow in array modification.	There are no reported fixed by versions.
VCID-23g8-dcz6-aaan Aliases: CVE-2023-39417	IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.	There are no reported fixed by versions.
VCID-3342-7zd2-aaac Aliases: CVE-2022-2625	A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.	There are no reported fixed by versions.
VCID-kpnh-gadr-aaae Aliases: CVE-2022-41862	In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.	There are no reported fixed by versions.
VCID-m2ku-ydb8-aaaf Aliases: CVE-2023-2455	Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.	There are no reported fixed by versions.
VCID-vbhe-jsxj-aaaj Aliases: CVE-2023-5868	postgresql: Memory disclosure in aggregate function calls	There are no reported fixed by versions.
VCID-y8yz-9q93-aaaq Aliases: CVE-2023-2454	schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.	There are no reported fixed by versions.
VCID-zf9j-hpj7-aaaj Aliases: CVE-2023-5870	postgresql: Role pg_signal_backend can signal certain superuser processes.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-1av1-tagn-aaan
Aliases:
CVE-2024-0985

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.