Home > Vulnerability Database > CVE-2024-2339

Mend.io Vulnerability Database

CVE-2024-2339

Good to know:

Date: March 8, 2024

PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed and can grant escalated privileges to the malicious user. PostgreSQL Anonymizer v1.2 does provide a protection against this risk with the restrict_to_trusted_schemas option, but that protection is incomplete. Users that don't own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.

Language: C

Severity Score

8.0

Related Resources (3)

Url: https://nvd.nist.gov/vuln/detail/CVE-2024-2339

Url: https://gitlab.com/dalibo/postgresql_anonymizer/-/commit/e517b38e62e50871b04011598e73a7308bdae9d9

Url: https://www.mend.io/vulnerability-database/CVE-2024-2339

Severity Score

8.0

Weakness Type (CWE)

Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version 1.3.0

Learn More

CVSS v3.1

Base Score:	8.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2024-2339

Good to know:

Date: March 8, 2024

Language: C

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?