#VU89297 Missing Authorization in PostgreSQL - CVE-2024-4317

Cybersecurity Help s.r.o.

Published: 2024-05-09

Vulnerability identifier: #VU89297

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-4317

CWE-ID: CWE-862

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due to missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs. A remote user can read most common values and other statistics from CREATE STATISTICS commands of other users.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 14.0 - 16.2

External links
https://www.postgresql.org/about/news/postgresql-163-157-1412-1315-and-1219-released-2858/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Anolis OS update for postgresql:15 module

Arctera InfoScale Operations Manager update for PostgreSQL

Multiple vulnerabilities in IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component

Multiple vulnerabilities in IBM Cloud Pak for Business Automation

IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data update for PostgreSQL

SUSE update for postgresql16

Multiple vulnerabilities in IBM Storage Copy Data Management

Multiple vulnerabilities in IBM Storage Protect Plus

SUSE update for postgresql16

Red Hat Enterprise Linux 8 update for the postgresql:15 module