The CVE-2024-10978 vulnerability in PostgreSQL allows a less-privileged application user to view or change different rows from those intended when using SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature while handling user-controlled inputs or conveying query results. This vulnerability affects versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.
Background
PostgreSQL is an open-source, powerful, and advanced object-relational database system that emphasizes extensibility and standards compliance. As an attacker, having the ability to change or view data that they're not supposed to access can lead to serious consequences like data leaks, unauthorized modifications, or abuse of application functionality.
The CVE-2024-10978 vulnerability takes advantage of incorrect privilege assignments in PostgreSQL, allowing a less-privileged attacker to view or change different rows from those intended when the application uses SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature and has user-supplied inputs or query result outputs being involved.
Exploit Details
The vulnerability relies on the application using SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature while relying on user-controlled inputs or conveying query results. Specifically, the issue occurs when an application query uses parameters from the attacker or conveys query results to the attacker.
An attack scenario might look like following
1. The attacker uses an input field in the application to inject a parameter that changes the current_setting('role') or the current_user value, thus potentially affecting subsequent queries.
2. The application makes a query that is influenced by the attacker's controlled setting, leading to unintended data exposure or modification.
For example
-- The attacker injects the parameter value as 'malicious_role'
SET ROLE malicious_role;
-- The application runs a query that is affected by the attacker's controlled role
SELECT * FROM users WHERE role = current_setting('role');
The attacker, however, does not control which incorrect user ID applies. It's also important to note that the issue does not concern query text from less-privileged sources – SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries.
Affected Versions
This vulnerability affects PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.
References
1. PostgreSQL Security Advisory: Incorrect Privilege Assignment Vulnerability - CVE-2024-10978
2. PostgreSQL Official Documentation
3. National Vulnerability Database - CVE-2024-10978
Mitigation
To protect against this vulnerability, PostgreSQL users should urgently upgrade their installations to a secure version.
Users running affected versions can download the latest patch/update from the PostgreSQL official download page. The fixed versions are as follows:
PostgreSQL 12.21
It's also essential for developers to correctly handle user-controlled inputs and avoid exposing sensitive information through query results. Sanitizing inputs and controlling the information displayed as output may reduce the chances of exploitation.
Timeline
Published on: 11/14/2024 13:15:04 UTC
Last modified on: 11/15/2024 13:58:08 UTC