CVE-2024-0985: 
PostgreSQL vulnerability analysis and mitigation

CVE-2024-0985 affects PostgreSQL versions before 16.2, 15.6, 14.11, 13.14, and 12.18. The vulnerability allows an object creator to execute arbitrary SQL functions as the command issuer through a late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY. The vulnerability was discovered and disclosed on February 8, 2024 (PostgreSQL Advisory).

The vulnerability stems from a security context handling issue during the REFRESH MATERIALIZED VIEW CONCURRENTLY operation. The command is designed to run SQL functions as the owner of the materialized view to enable safe refresh of untrusted materialized views. However, during the creation of a temporary "diff" table, the code drops out of Security Restricted Operation (SRO) mode, which creates a window for privilege escalation. The vulnerability has been assigned a CVSS v3.1 base score of 8.0 (HIGH) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H (PostgreSQL Advisory).

Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). The attacker could potentially execute arbitrary SQL commands with the privileges of the user running the REFRESH command, which is particularly dangerous if the victim is a superuser or member of one of the attacker's roles (NetApp Advisory).

The primary mitigation is to upgrade to the fixed versions: PostgreSQL 16.2, 15.6, 14.11, 13.14, or 12.18. These versions include patches that maintain proper security context during the REFRESH MATERIALIZED VIEW CONCURRENTLY operation (PostgreSQL Advisory).