Vulnerability Details : CVE-2024-4317

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.
Published 2024-05-09 13:00:01
Updated 2025-03-28 15:15:45
Source PostgreSQL
View at NVD,   CVE.org

Products affected by CVE-2024-4317

Exploit prediction scoring system (EPSS) score for CVE-2024-4317

EPSS FAQ
0.02%
Probability of exploitation activity in the next 30 days EPSS Score History
~ 4 %
Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2024-4317

Base Score Base Severity CVSS Vector Exploitability Score Impact Score Score Source First Seen
3.1
 LOW CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
1.6
1.4
 PostgreSQL 2024-05-13
4.3
 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
2.8
1.4
 NIST 2025-02-12

CWE ids for CVE-2024-4317

  • The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
    Assigned by:
    • f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 (Secondary)
    • nvd@nist.gov (Primary)

References for CVE-2024-4317

Jump to
This web site uses cookies for managing your session, storing preferences, website analytics and additional purposes described in our privacy policy.
By using this web site you are agreeing to CVEdetails.com terms of use!
Accept Close