NVD Vulnerability Detail

CVE-2024-10976

Summary	Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Publication Date	Nov. 14, 2024, 10:15 p.m.
Registration Date	Nov. 15, 2024, 5 a.m.
Last Update	Nov. 15, 2024, 10:58 p.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://www.postgresql.org/support/security/CVE-2024-10976/

Common Vulnerabilities List

JVN Vulnerability Information

PostgreSQL.org の PostgreSQL における脆弱性

Title	PostgreSQL.org の PostgreSQL における脆弱性
Summary	PostgreSQL.org の PostgreSQL には、不特定の脆弱性が存在します。
Possible impacts	情報を取得される、および情報を改ざんされる可能性があります。
Solution	ベンダアドバイザリまたはパッチ情報が公開されています。参考情報を参照して適切な対策を実施してください。
Publication Date	Nov. 14, 2024, midnight
Registration Date	Feb. 12, 2025, 5:37 p.m.
Last Update	May 16, 2025, 5:56 p.m.

Affected System

PostgreSQL.org

PostgreSQL 12.0 以上 12.21 未満

PostgreSQL 13.0 以上 13.17 未満

PostgreSQL 14.0 以上 14.14 未満

PostgreSQL 15.0 以上 15.9 未満

PostgreSQL 16.0 以上 16.5 未満

PostgreSQL 17.0 以上 17.1 未満

日立

Hitachi Infrastructure Analytics Advisor (海外販売のみ)

Hitachi Ops Center Analyzer (海外販売のみ)

Hitachi Ops Center Analyzer viewpoint (海外販売のみ)

Hitachi Ops Center Viewpoint (国内販売のみ)

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2024-10976	https://www.cve.org/CVERecord?id=CVE-2024-10976
National Vulnerability Database (NVD)
2	CVE-2024-10976	https://nvd.nist.gov/vuln/detail/CVE-2024-10976

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-1250	https://cwe.mitre.org/data/definitions/1250.html
2	CWE-noinfo	https://www.ipa.go.jp/security/vuln/scap/cwe.html

ベンダー情報

No	Name	URL
Hitachi Software Vulnerability Information
1	hitachi-sec-2025-118	https://www.hitachi.com/products/it/software/security/info/vuls/hitachi-sec-2025-118/index.html
ソフトウェア製品セキュリティ情報
2	hitachi-sec-2025-118	https://www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/hitachi-sec-2025-118/index.html

その他

No	Name	URL
関連文書
1	www.postgresql.org (CVE-2024-10976)	https://www.postgresql.org/support/security/CVE-2024-10976/

Change Log

No	Changed Details	Date of change
1	[2025年02月12日] 掲載	Feb. 12, 2025, 5:37 p.m.
2	[2025年05月16日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日立 (hitachi-sec-2025-118) を追加	May 16, 2025, 3:30 p.m.