#VU89297 Missing Authorization in PostgreSQL


Published: 2024-05-09

Vulnerability identifier: #VU89297

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-4317

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. A remote user can read most common values and other statistics from CREATE STATISTICS commands of other users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 16.0 - 16.2, 15.0 - 15.6, 14.0 - 14.11

External links
http://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SUSE update for postgresql16
Red Hat Enterprise Linux 8 update for the postgresql:15 module
Red Hat Enterprise Linux 8 update for the postgresql:15 module
Red Hat Enterprise Linux 9 update for the postgresql:16 module
Red Hat Enterprise Linux 8 update for the postgresql:16 module
Missing Authorization in IBM Sterling Connect:Direct Web Services
Gentoo update for PostgreSQL
Amazon Linux AMI update for postgresql15
SUSE update for postgresql14
SUSE update for postgresql14