VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-1av1-tagn-aaan

Essentials
Severities (98)
References (39)
Severity details (10)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-1av1-tagn-aaan
Aliases	CVE-2024-0985
Summary	Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.
Status	Published
Exploitability	0.5
Weighted Severity	7.2
Risk	3.6
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-271

Privilege Dropping / Lowering Errors

System	Score	Found at
cvssv3	8.0	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0985.json
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00060	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00066	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00066	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00066	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00066	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00077	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00244	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00251	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00251	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00251	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00251	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00386	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00386	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.00397	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
epss	0.01256	https://api.first.org/data/v1/epss?cve=CVE-2024-0985
cvssv3.1	8	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	8	https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
cvssv3	8.0	https://nvd.nist.gov/vuln/detail/CVE-2024-0985
cvssv3.1	8.0	https://nvd.nist.gov/vuln/detail/CVE-2024-0985
cvssv3.1	8	https://saites.dev/projects/personal/postgres-cve-2024-0985/
ssvc	Track	https://saites.dev/projects/personal/postgres-cve-2024-0985/
cvssv3	8.0	https://www.postgresql.org/support/security/CVE-2024-0985/
cvssv3.1	8	https://www.postgresql.org/support/security/CVE-2024-0985/
ssvc	Track	https://www.postgresql.org/support/security/CVE-2024-0985/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0985.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-0985
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0985
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html
		https://saites.dev/projects/personal/postgres-cve-2024-0985/
		https://security.netapp.com/advisory/ntap-20241220-0005/
		https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-and-1218-released-2807/
		https://www.postgresql.org/support/security/CVE-2024-0985/
2263384		https://bugzilla.redhat.com/show_bug.cgi?id=2263384
cpe:2.3:a:postgresql:postgresql::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql::::::::
CVE-2024-0985		https://nvd.nist.gov/vuln/detail/CVE-2024-0985
GLSA-202408-06		https://security.gentoo.org/glsa/202408-06
RHSA-2024:0950		https://access.redhat.com/errata/RHSA-2024:0950
RHSA-2024:0951		https://access.redhat.com/errata/RHSA-2024:0951
RHSA-2024:0956		https://access.redhat.com/errata/RHSA-2024:0956
RHSA-2024:0973		https://access.redhat.com/errata/RHSA-2024:0973
RHSA-2024:0974		https://access.redhat.com/errata/RHSA-2024:0974
RHSA-2024:0975		https://access.redhat.com/errata/RHSA-2024:0975
RHSA-2024:0988		https://access.redhat.com/errata/RHSA-2024:0988
RHSA-2024:0990		https://access.redhat.com/errata/RHSA-2024:0990
RHSA-2024:0992		https://access.redhat.com/errata/RHSA-2024:0992
RHSA-2024:1017		https://access.redhat.com/errata/RHSA-2024:1017
RHSA-2024:1069		https://access.redhat.com/errata/RHSA-2024:1069
RHSA-2024:1070		https://access.redhat.com/errata/RHSA-2024:1070
RHSA-2024:1071		https://access.redhat.com/errata/RHSA-2024:1071
RHSA-2024:1195		https://access.redhat.com/errata/RHSA-2024:1195
RHSA-2024:1240		https://access.redhat.com/errata/RHSA-2024:1240
RHSA-2024:1241		https://access.redhat.com/errata/RHSA-2024:1241
RHSA-2024:1314		https://access.redhat.com/errata/RHSA-2024:1314
RHSA-2024:1315		https://access.redhat.com/errata/RHSA-2024:1315
RHSA-2024:1348		https://access.redhat.com/errata/RHSA-2024:1348
RHSA-2024:1422		https://access.redhat.com/errata/RHSA-2024:1422
RHSA-2024:1426		https://access.redhat.com/errata/RHSA-2024:1426
RHSA-2024:1428		https://access.redhat.com/errata/RHSA-2024:1428
RHSA-2024:1429		https://access.redhat.com/errata/RHSA-2024:1429
RHSA-2024:1437		https://access.redhat.com/errata/RHSA-2024:1437
USN-6656-1		https://usn.ubuntu.com/6656-1/
USN-6656-2		https://usn.ubuntu.com/6656-2/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-0985.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-16T05:00:50Z/ Found at https://lists.debian.org/debian-lts-announce/2024/03/msg00017.html

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-0985

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://saites.dev/projects/personal/postgres-cve-2024-0985/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-16T05:00:50Z/ Found at https://saites.dev/projects/personal/postgres-cve-2024-0985/

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H Found at https://www.postgresql.org/support/security/CVE-2024-0985/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-02-16T05:00:50Z/ Found at https://www.postgresql.org/support/security/CVE-2024-0985/

Exploit Prediction Scoring System (EPSS)

Percentile	0.26898
EPSS Score	0.00060
Published At	Nov. 1, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-02-07T19:39:20.208903+00:00	SUSE Severity Score Importer	Import	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml	34.0.0rc2