CVE-2024-10976: 
PostgreSQL vulnerability analysis and mitigation

CVE-2024-10976 is a security vulnerability in PostgreSQL related to incomplete tracking of tables with row security. The vulnerability was discovered and disclosed on November 14, 2024, affecting PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. This issue is related to previous vulnerabilities (CVE-2023-2455 and CVE-2016-2193) that dealt with row security and user ID changes interactions (PostgreSQL Advisory).

The vulnerability stems from cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This leads to potentially incorrect policies being applied when role-specific policies are used and a query is planned under one role but executed under other roles. The CVSS v3.1 scores vary between sources, with NVD rating it as 5.4 (MEDIUM) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N, while PostgreSQL rates it as 4.2 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (NVD).

The vulnerability can allow a user to complete otherwise-forbidden reads and modifications when incorrect policies are applied. This only affects databases that have used CREATE POLICY to define a row security policy. The scenario can occur under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs (PostgreSQL Advisory).

The vulnerability has been fixed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users should upgrade to these or later versions to mitigate the vulnerability (PostgreSQL Advisory).