CVE-2024-10978: PostgreSQL SET ROLE, SET SESSION AUTHORIZATION reset to wrong user ID
First published: Thu Nov 14 2024(Updated: )
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Credit: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/postgresql-13 | <=13.16-0+deb11u1 | 13.20-0+deb11u1 |
| debian/postgresql-15 | 15.12-0+deb12u2 15.10-0+deb12u1 | |
| debian/postgresql-17 | 17.4-1 | |
| PostgreSQL | >=12.0<12.21 | |
| PostgreSQL | >=13.0<13.17 | |
| PostgreSQL | >=14.0<14.14 | |
| PostgreSQL | >=15.0<15.9 | |
| PostgreSQL | >=16.0<16.5 | |
| PostgreSQL | =17.0 | |
| PostgreSQL | =17.0-beta1 | |
| PostgreSQL | =17.0-beta2 | |
| PostgreSQL | =17.0-beta3 | |
| PostgreSQL | =17.0-rc1 | |
| Debian Linux | =11.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.postgresql.org/support/security/CVE-2024-10978/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00018.html
- https://www.postgresql.org/message-id/173171334532.1547978.1518068370217143844%40wrigleys.postgresql.org
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10978
- https://nvd.nist.gov/vuln/detail/CVE-2024-10978
- https://launchpad.net/bugs/cve/CVE-2024-10978
- https://security-tracker.debian.org/tracker/CVE-2024-10978
- https://ubuntu.com/security/CVE-2024-10978
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cd82afdda5e9d3269706a142e9093ba83f484185
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=f4f5d27d87247da1ec7e5a6e7990a22ffba9f63a
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=1c05004a895308da10ec000ba6b92f72f4f5b8e2
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=ae340d0318521ae7234ed3b7221a1f65f39a52c0
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=95f5a523729f6814c8757860d9a2264148b7b0df
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b0918c1286d316f6ffa93995452270afd4fc4335
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a5d2e6205f716c79ecfb15eb1aae75bae3f8daa9
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=109a323807d752f66699a9ce0762244f536e784f
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=edf80895f6bda824403f843df91cbc83890e4b6c
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2a68808e241bf667ff72c31ea9d0c4eb0b893982
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=00b94e8e2f99a8ed1d7f854838234ce37f582da0
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=be062bfa54d780c07a3b36c4123da2c960c8e97d
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=76123ded6e9b3624e380ac326645bd026aacd2f5
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=dc7378793add3c3d9a40ec2118d92bd719acab97
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=07c6e0f613612ff060572a085c1c24aa44c8b2bb
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=4c9d96f74ba4e7d01c086ca54f217e242dd65fae
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=0edad8654848affe0786c798aea9e1a43dde54bc
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=c463338656ac47e5210fcf9fbf7d20efccce8de8
- https://access.redhat.com/errata/RHSA-2024:10785
- https://access.redhat.com/errata/RHSA-2024:10788
- https://access.redhat.com/errata/RHSA-2024:10787
- https://access.redhat.com/errata/RHSA-2024:10791
- https://access.redhat.com/errata/RHSA-2024:10830
- https://access.redhat.com/errata/RHSA-2024:10832
- https://access.redhat.com/errata/RHSA-2024:10831
- https://bugzilla.redhat.com/show_bug.cgi?id=2326251
Frequently Asked Questions
What is the severity of CVE-2024-10978?
CVE-2024-10978 has a severity rating that indicates a medium risk due to the potential for incorrect privilege assignment leading to unauthorized data access.
How do I fix CVE-2024-10978?
To fix CVE-2024-10978, upgrade to the patched versions of PostgreSQL, which are postgres-13 version 13.18-0+deb11u1 or higher, postgres-15 version 15.10-0+deb12u1 or higher, and make sure other versions are not used.
What are the affected versions in CVE-2024-10978?
CVE-2024-10978 affects PostgreSQL versions up to and including 13.16-0+deb11u1, 15.8-0+deb12u1, and 16.4-3.
Can CVE-2024-10978 be exploited remotely?
Exploitation of CVE-2024-10978 requires that the attacker have application-level access that enables the use of features like SET ROLE or SET SESSION AUTHORIZATION.
What type of vulnerability is CVE-2024-10978?
CVE-2024-10978 is classified as a privilege escalation vulnerability in PostgreSQL.
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-10978
- agent/trending
- agent/source
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- collector/usn-cve
- source/Ubuntu
- agent/description
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- package-manager/debian
- vendor/postgresql
- canonical/postgresql
- version/postgresql/12.0
- version/postgresql/13.0
- version/postgresql/14.0
- version/postgresql/15.0
- version/postgresql/16.0
- version/postgresql/17.0
- version/postgresql/17.0-beta1
- version/postgresql/17.0-beta2
- version/postgresql/17.0-beta3
- version/postgresql/17.0-rc1
- vendor/debian
- canonical/debian linux
- version/debian linux/11.0