Login Sign Up

CVE-2024-10978

4.2 MEDIUM

📋 TL;DR

This PostgreSQL vulnerability allows a less-privileged application user to view or modify unintended database rows when the application uses SET ROLE or SET SESSION AUTHORIZATION features. The issue occurs when queries react to current_setting('role') or current user ID, potentially bypassing intended privilege restrictions. Affected users are those running PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21 with applications that use these session switching features.

💻 Affected Systems

Products:
  • PostgreSQL
Versions: Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21
Operating Systems: All operating systems running affected PostgreSQL versions
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when applications use SET ROLE, SET SESSION AUTHORIZATION, or equivalent features with queries that react to current_setting('role') or current user ID.

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

Postgresql by Postgresql

View all CVEs affecting Postgresql →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized data disclosure or modification across different user contexts, potentially exposing sensitive information or corrupting data integrity.

🟠

Likely Case

Limited data exposure within the same application context where an attacker can only access/modify data from unintended rows but not arbitrary data.

🟢

If Mitigated

No impact if applications don't use SET ROLE/SET SESSION AUTHORIZATION or properly validate user context in queries.

🌐 Internet-Facing: MEDIUM - Requires authenticated access and specific application configurations, but could impact web applications using PostgreSQL.
🏢 Internal Only: MEDIUM - Similar risk profile but limited to internal attackers with application access.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires authenticated access, specific application configurations using session switching features, and queries that react to user context changes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21

Vendor Advisory: https://www.postgresql.org/support/security/CVE-2024-10978/

Restart Required: Yes

Instructions:

1. Backup your PostgreSQL database. 2. Stop PostgreSQL service. 3. Upgrade to patched version using your distribution's package manager or PostgreSQL binaries. 4. Restart PostgreSQL service. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable session switching features

all

Modify applications to avoid using SET ROLE, SET SESSION AUTHORIZATION, or equivalent features

Audit application queries

all

Review application code for queries that react to current_setting('role') or current user ID and modify them to not depend on session context

🧯 If You Can't Patch

  • Review and modify application queries to avoid reacting to current_setting('role') or current user ID when using session switching features
  • Implement additional application-level authorization checks independent of PostgreSQL session context

🔍 How to Verify

Check if Vulnerable:

Check PostgreSQL version and compare against affected versions. Review application code for use of SET ROLE/SET SESSION AUTHORIZATION with queries reacting to user context.

Check Version:

psql --version or SELECT version(); in PostgreSQL

Verify Fix Applied:

Verify PostgreSQL version is 17.1, 16.5, 15.9, 14.14, 13.17, 12.21 or later, and test application functionality with session switching features.

📡 Detection & Monitoring

Log Indicators:

  • Unusual query patterns when SET ROLE/SET SESSION AUTHORIZATION is used
  • Unexpected data access patterns from application users

Network Indicators:

  • Normal database traffic patterns - no specific network indicators

SIEM Query:

PostgreSQL logs showing SET ROLE or SET SESSION AUTHORIZATION followed by queries with unexpected data access patterns

📊 Metadata

CVE ID: CVE-2024-10978
CVSS v3 Score: 4.2 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-266
Published: November 14, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-10978, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)