{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10976", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2024-11-07T19:27:02.623Z", "datePublished": "2024-11-14T13:00:01.930Z", "dateUpdated": "2024-11-14T19:32:17.213Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2024-11-14T13:00:01.930Z"}, "title": "PostgreSQL row security below e.g. subqueries disregards user ID changes", "descriptions": [{"lang": "en", "value": "Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "17.1", "status": "affected", "version": "17", "versionType": "rpm"}, {"lessThan": "16.5", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.9", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.14", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.17", "status": "affected", "version": "13", "versionType": "rpm"}, {"lessThan": "12.21", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1250", "type": "CWE", "description": "Improper Preservation of Consistency Between Independent Representations of Shared State"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-10976/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 4.2, "baseSeverity": "MEDIUM"}}], "configurations": [{"lang": "en", "value": "application uses row security policies that react to the current role, and one database session reaches the same query via multiple roles"}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Wolfgang Walther for reporting this problem."}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-14T18:53:41.183245Z", "id": "CVE-2024-10976", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T19:32:17.213Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10976", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-14T18:53:41.183245Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-14T18:54:22.272Z"}}], "cna": {"title": "PostgreSQL row security below e.g. subqueries disregards user ID changes", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Wolfgang Walther for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 4.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "17", "lessThan": "17.1", "versionType": "rpm"}, {"status": "affected", "version": "16", "lessThan": "16.5", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.9", "versionType": "rpm"}, {"status": "affected", "version": "14", "lessThan": "14.14", "versionType": "rpm"}, {"status": "affected", "version": "13", "lessThan": "13.17", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "12.21", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-10976/"}], "descriptions": [{"lang": "en", "value": "Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1250", "description": "Improper Preservation of Consistency Between Independent Representations of Shared State"}]}], "configurations": [{"lang": "en", "value": "application uses row security policies that react to the current role, and one database session reaches the same query via multiple roles"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2024-11-14T13:00:01.930Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10976", "state": "PUBLISHED", "dateUpdated": "2024-11-14T19:32:17.213Z", "dateReserved": "2024-11-07T19:27:02.623Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2024-11-14T13:00:01.930Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "433D59A0-8811-4DDB-A9F7-D85C62F905CC", "versionEndExcluding": "12.21", "versionStartIncluding": "12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "380F8048-FBE5-4606-93A3-915CFD229317", "versionEndExcluding": "13.17", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "FACF31C7-3B20-4BAE-A596-9C59D67406D8", "versionEndExcluding": "14.14", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "DF12F1A2-3179-4DAC-B728-038B94954DC7", "versionEndExcluding": "15.9", "versionStartIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "353CBD91-FC28-4DA3-B79A-F4F4DC80FA93", "versionEndExcluding": "16.5", "versionStartIncluding": "16.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "DCEB2049-EB8A-4703-B3FF-FC641623ED2C", "versionEndExcluding": "17.1", "versionStartIncluding": "17.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected."}, {"lang": "es", "value": "El seguimiento incompleto en PostgreSQL de tablas con seguridad de filas permite que una consulta reutilizada vea o cambie filas diferentes a las previstas. CVE-2023-2455 y CVE-2016-2193 solucionaron la mayor\u00eda de las interacciones entre la seguridad de filas y los cambios de ID de usuario. Pasaron por alto los casos en los que una subconsulta, una consulta WITH, una vista de invocador de seguridad o una funci\u00f3n de lenguaje SQL hace referencia a una tabla con una pol\u00edtica de seguridad a nivel de fila. Esto tiene las mismas consecuencias que las dos CVE anteriores. Es decir, conduce a la aplicaci\u00f3n de pol\u00edticas potencialmente incorrectas en los casos en los que se utilizan pol\u00edticas espec\u00edficas de roles y se planifica una consulta determinada bajo un rol y luego se ejecuta bajo otros roles. Este escenario puede ocurrir bajo funciones de definidor de seguridad o cuando se planifica inicialmente un usuario y una consulta comunes y luego se reutilizan en varios SET ROLE. La aplicaci\u00f3n de una pol\u00edtica incorrecta puede permitir que un usuario complete lecturas y modificaciones que de otro modo estar\u00edan prohibidas. Esto afecta solo a las bases de datos que han utilizado CREATE POLICY para definir una pol\u00edtica de seguridad de filas. Un atacante debe adaptar un ataque al patr\u00f3n de reutilizaci\u00f3n de planes de consulta, cambios de ID de usuario y pol\u00edticas de seguridad de filas espec\u00edficas de roles de una aplicaci\u00f3n en particular. Las versiones anteriores a PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17 y 12.21 se ven afectadas."}], "id": "CVE-2024-10976", "lastModified": "2025-02-11T17:46:21.280", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-11-14T13:15:03.793", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Vendor Advisory"], "url": "https://www.postgresql.org/support/security/CVE-2024-10976/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1250"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:10785", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:12-8100020241122084405.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10830", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:15-8100020241122084744.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10831", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:16-8100020241122085009.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10832", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:13-8100020241122084628.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-12-05T00:00:00Z"}, {"advisory": "RHSA-2024:10787", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql:15-9050020241122141928.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10788", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql:16-9050020241122142517.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-04T00:00:00Z"}, {"advisory": "RHSA-2024:10791", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql-0:13.18-1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-12-04T00:00:00Z"}], "bugzilla": {"description": "postgresql: PostgreSQL row security below e.g. subqueries disregards user ID changes", "id": "2326263", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2326263"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-1250", "details": ["Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.", "A flaw was found in PostgreSQL. This vulnerability allows incorrect row-level security policies to be applied via subqueries, WITH queries, security invoker views, or SQL-language functions that reference tables with row-level security policies. This issue arises when a query is planned under one role and executed under another, potentially leading to unauthorized reads or modifications of data."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-10976", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2024-11-14T13:00:01Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-10976\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-10976\nhttps://www.postgresql.org/support/security/CVE-2024-10976/"], "threat_severity": "Moderate"}