VulnerableCode Vulnerability Details

Search for vulnerabilities

Vulnerability details: VCID-fzrb-th1j-xyg4

Essentials
Severities (95)
References (28)
Severity details (5)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-fzrb-th1j-xyg4
Aliases	CVE-2024-10978
Summary	Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Status	Published
Exploitability	0.5
Weighted Severity	3.8
Risk	1.9
Affected and Fixed Packages	Package Details

Weaknesses (1)

CWE-266

Incorrect Privilege Assignment

System	Score	Found at
cvssv3	4.2	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10978.json
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00043	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.0008	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00092	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00102	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00104	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00104	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00104	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00104	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00186	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
epss	0.00552	https://api.first.org/data/v1/epss?cve=CVE-2024-10978
cvssv3.1	4.2	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1	4.2	https://nvd.nist.gov/vuln/detail/CVE-2024-10978
cvssv3	4.2	https://www.postgresql.org/support/security/CVE-2024-10978/
cvssv3.1	4.2	https://www.postgresql.org/support/security/CVE-2024-10978/
ssvc	Track	https://www.postgresql.org/support/security/CVE-2024-10978/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10978.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-10978
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10978
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html
		https://www.postgresql.org/about/news/postgresql-171-165-159-1414-1317-and-1221-released-2955/
		https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org
		https://www.postgresql.org/support/security/CVE-2024-10978/
1088687		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088687
2326251		https://bugzilla.redhat.com/show_bug.cgi?id=2326251
cpe:2.3:a:postgresql:postgresql::::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql::::::::
cpe:2.3:a:postgresql:postgresql:17.0:-::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql:17.0:-::::::
cpe:2.3:a:postgresql:postgresql:17.0:beta1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql:17.0:beta1::::::
cpe:2.3:a:postgresql:postgresql:17.0:beta2::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql:17.0:beta2::::::
cpe:2.3:a:postgresql:postgresql:17.0:beta3::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql:17.0:beta3::::::
cpe:2.3:a:postgresql:postgresql:17.0:rc1::::::		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:postgresql:postgresql:17.0:rc1::::::
cpe:2.3:o:debian:debian_linux:11.0:::::::*		https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:11.0:::::::*
CVE-2024-10978		https://nvd.nist.gov/vuln/detail/CVE-2024-10978
GLSA-202412-12		https://security.gentoo.org/glsa/202412-12
RHSA-2024:10785		https://access.redhat.com/errata/RHSA-2024:10785
RHSA-2024:10787		https://access.redhat.com/errata/RHSA-2024:10787
RHSA-2024:10788		https://access.redhat.com/errata/RHSA-2024:10788
RHSA-2024:10791		https://access.redhat.com/errata/RHSA-2024:10791
RHSA-2024:10830		https://access.redhat.com/errata/RHSA-2024:10830
RHSA-2024:10831		https://access.redhat.com/errata/RHSA-2024:10831
RHSA-2024:10832		https://access.redhat.com/errata/RHSA-2024:10832
USN-7132-1		https://usn.ubuntu.com/7132-1/
USN-7358-1		https://usn.ubuntu.com/7358-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-10978.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2024-10978

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://www.postgresql.org/support/security/CVE-2024-10978/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-14T18:53:38Z/ Found at https://www.postgresql.org/support/security/CVE-2024-10978/

Exploit Prediction Scoring System (EPSS)

Percentile	0.10184
EPSS Score	0.00043
Published At	Nov. 18, 2024, midnight

Date	Actor	Action	Source	VulnerableCode Version
2024-11-18T16:55:18.641498+00:00	Alpine Linux Importer	Import	https://secdb.alpinelinux.org/edge/community.json	34.3.2