You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fix privilege checks in pg_stats_ext and pg_stats_ext_exprs.
The catalog view pg_stats_ext fails to consider privileges for
expression statistics. The catalog view pg_stats_ext_exprs fails
to consider privileges and row-level security policies. To fix,
restrict the data in these views to table owners or roles that
inherit privileges of the table owner. It may be possible to apply
less restrictive privilege checks in some cases, but that is left
as a future exercise. Furthermore, for pg_stats_ext_exprs, do not
return data for tables with row-level security enabled, as is
already done for pg_stats_ext.
On the back-branches, a fix-CVE-2024-4317.sql script is provided
that will install into the "share" directory. This file can be
used to apply the fix to existing clusters.
Bumps catversion on 'master' branch only.
Reported-by: Lukas Fittl
Reviewed-by: Noah Misch, Tomas Vondra, Tom Lane
Security: CVE-2024-4317
Backpatch-through: 14
Copy file name to clipboardExpand all lines: doc/src/sgml/system-views.sgml
+2-2
Original file line number
Diff line number
Diff line change
@@ -3944,7 +3944,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
3944
3944
and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
3945
3945
catalogs. This view allows access only to rows of
3946
3946
<link linkend="catalog-pg-statistic-ext"><structname>pg_statistic_ext</structname></link> and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
3947
-
that correspond to tables the user has permission to read, and therefore
3947
+
that correspond to tables the user owns, and therefore
3948
3948
it is safe to allow public read access to this view.
3949
3949
</para>
3950
3950
@@ -4155,7 +4155,7 @@ SELECT * FROM pg_locks pl LEFT JOIN pg_prepared_xacts ppx
4155
4155
and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
4156
4156
catalogs. This view allows access only to rows of
4157
4157
<link linkend="catalog-pg-statistic-ext"><structname>pg_statistic_ext</structname></link> and <link linkend="catalog-pg-statistic-ext-data"><structname>pg_statistic_ext_data</structname></link>
4158
-
that correspond to tables the user has permission to read, and therefore
4158
+
that correspond to tables the user owns, and therefore
4159
4159
it is safe to allow public read access to this view.
0 commit comments