Security Advisory – PostgreSQL CVE-2024-0985: Privilege Escalation via MATERIALIZED VIEW

A vulnerability in PostgreSQL, identified as CVE-2024-0985, allows attackers to execute arbitrary SQL functions through late privilege dropping in REFRESH MATERIALIZED VIEW CONCURRENTLY. This issue permits an object creator to run SQL functions as the command issuer, which was intended only for the owner’s execution for safe refreshes. It affects versions before 15.6, 14.11, 13.14, and 12.18, requiring attackers to trick a superuser or role member into refreshing their materialized view. PostgreSQL version 16.2 introduces fixes and additional protections.

For more detailed information, visit the official advisory at PostgreSQL.