Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
This fix only fixes fresh PostgreSQL installations, namely those that are
created with the initdb
utility after this fix is applied. If you have a current PostgreSQL installation
and are concerned about this issue, please use the following remediation steps to
fix the issue:
Find the SQL script fix-CVE-2024-4317.sql in the share directory of
your PostgreSQL installation (e.g. in /usr/share/postgresql/), or download it
from the PostgreSQL git repository from one of the URLs below. You will need to
use the script that matches your major version:
PostgreSQL 16: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_16_STABLE
From the above URLs, you can click the URL that says "raw" to download a version that you can copy and paste.
Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only PostgreSQL 14, 15, and 16 are affected) or your minor version is too old to have the fix.
fix-CVE-2024-4317.sql script as
a database superuser. For example, in psql,
with the file located in /usr/share/postgresql/, this command would look like:\i /usr/share/postgresql/fix-CVE-2024-4317.sql
template0 and template1
databases, or the vulnerability will still exist in databases you create later.
To fix template0, you'll need to temporarily allow it accept connections. You
can do this with the following command:ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;
After executing the fix-CVE-2024-4317.sql script in template0 and
template1, you should revoke the ability for template0 to accept
connections. You can do this with the following command:
ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;
The PostgreSQL project thanks Lukas Fittl for reporting this problem.
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| 16 | 16.3 | May 9, 2024 |
| 15 | 15.7 | May 9, 2024 |
| 14 | 14.12 | May 9, 2024 |
For more information about PostgreSQL versioning, please visit the versioning page.
| Overall Score | 3.1 |
|---|---|
| Component | core server |
| Vector | AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.
For reporting non-security bugs, please see the Report a Bug page.