CVE-2024-10978 Overview
CVE-2024-10978 is an incorrect privilege assignment vulnerability in PostgreSQL [CWE-266]. The flaw allows a less-privileged application user to view or modify rows that should have been inaccessible. Exploitation requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature.
When an application query reacts to current_setting('role') or the current user ID, PostgreSQL may apply an incorrect identity. The query then returns or modifies data as if the session had never switched roles. The attacker does not control which incorrect user ID applies, limiting predictability of the impact.
Critical Impact
Authenticated users can bypass role-based access controls in PostgreSQL applications relying on SET ROLE or SET SESSION AUTHORIZATION, leading to unauthorized data read or modification.
Affected Products
- PostgreSQL versions prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21
- Debian Linux 11 (postgresql package)
- Applications using SET ROLE or SET SESSION AUTHORIZATION for privilege separation
Discovery Timeline
- 2024-11-14 - CVE-2024-10978 published to NVD
- 2024-11-14 - PostgreSQL releases fixed versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-10978
Vulnerability Analysis
The vulnerability stems from PostgreSQL incorrectly tracking the active role identity after a session executes SET ROLE or SET SESSION AUTHORIZATION. Queries that reference current_setting('role') or the current user ID may evaluate against a stale or incorrect identity. Application logic that enforces row-level access using these identifiers can return or modify rows belonging to other users.
The attack requires an authenticated session with low privileges. The attacker must also influence query parameters or observe query results. Because the attacker does not control which incorrect user ID applies, the exposure is opportunistic rather than targeted.
The issue does not represent a sandbox escape. PostgreSQL documents that SET ROLE and SET SESSION AUTHORIZATION are not intended to contain unvetted query text. The risk applies specifically to applications that trust the role-switching feature for data isolation.
Root Cause
The root cause is incorrect privilege assignment [CWE-266] within PostgreSQL's session role-tracking logic. PostgreSQL fails to consistently apply the switched identity when evaluating built-in role functions during certain query paths.
Attack Vector
Exploitation occurs over the network against an authenticated database session. An attacker supplies crafted parameters to an application query, or observes query output, in a context where SET ROLE or SET SESSION AUTHORIZATION has been issued. The vulnerability has high attack complexity because the application must reference current_setting('role') or the current user ID in its logic.
No public proof-of-concept code or exploit is available. See the PostgreSQL Security Advisory CVE-2024-10978 for vendor-provided technical details.
Detection Methods for CVE-2024-10978
Indicators of Compromise
- Unexpected data access patterns from low-privilege application accounts in PostgreSQL audit logs
- Query results referencing current_setting('role') returning inconsistent or unexpected values
- Anomalous row modifications occurring during sessions that issued SET ROLE or SET SESSION AUTHORIZATION
Detection Strategies
- Enable PostgreSQL pg_audit or detailed log_statement logging to capture role-switching commands and parameterized queries
- Review application query patterns for use of SET ROLE, SET SESSION AUTHORIZATION, and current_setting('role') references
- Correlate authenticated session activity with row-level access changes across user accounts
Monitoring Recommendations
- Forward PostgreSQL logs to a centralized SIEM and alert on role-switch operations from application service accounts
- Track PostgreSQL server version banners across the fleet to confirm patched releases are deployed
- Monitor for spikes in failed authorization checks or unexpected UPDATE/DELETE statements following role-switch operations
How to Mitigate CVE-2024-10978
Immediate Actions Required
- Upgrade PostgreSQL to version 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21 or later, matching the deployed major version
- Inventory applications using SET ROLE or SET SESSION AUTHORIZATION and prioritize them for patching
- Restart PostgreSQL services after upgrading to ensure all sessions use the fixed code path
Patch Information
PostgreSQL released fixes in versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 on 2024-11-14. Debian users should apply updates referenced in Debian LTS Announcement #11 and Debian LTS Announcement #18. Full vendor details are available in the PostgreSQL Security Advisory CVE-2024-10978.
Workarounds
- Avoid relying on current_setting('role') or the current user ID for row-level authorization in application queries until patched
- Enforce data isolation through native PostgreSQL row-level security policies bound to immutable session attributes
- Restrict database connections to trusted application tiers and limit privileges granted to application roles
# Verify the running PostgreSQL version after upgrade
psql -U postgres -c "SHOW server_version;"
# Example apt upgrade on Debian-based systems
sudo apt update
sudo apt install --only-upgrade postgresql postgresql-client
sudo systemctl restart postgresql
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
