CVE-2024-1713: 
PostgreSQL vulnerability analysis and mitigation

A vulnerability in plv8 3.2.1 (CVE-2024-1713) allows users with database object creation privileges to execute deferred triggers with Superuser permissions during autovacuum operations. The vulnerability was discovered on January 9, 2024, and publicly disclosed on February 21, 2024 (Google Security).

The vulnerability stems from PLV8's cursor implementation missing proper rollback mechanisms. When a cursor operation encounters an error, the PostgreSQL error is caught and rethrown as a JavaScript exception that can be caught, allowing malicious users to catch the error and commit instead of rolling back. This behavior particularly affects deferred triggers, enabling privilege escalation scenarios similar to CVE-2020-25695. The vulnerability has been assigned a CVSS v3.1 score of 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (Ubuntu CVE).

The vulnerability allows a user with object creation privileges to escalate their permissions to Superuser level during autovacuum operations. This can lead to unauthorized privilege elevation and potential complete system compromise, as demonstrated by the ability to alter user privileges in the proof of concept (Google Security).

As of the current date, no official patches or fixes have been released for this vulnerability. The vulnerability was reported on January 9, 2024, and disclosed on February 21, 2024, but remains unpatched (Google Security).