CVE-2024-45624
📋 TL;DR
This vulnerability in Pgpool-II allows unauthorized database users to access cached query results containing sensitive table data they shouldn't have permission to view. It affects Pgpool-II installations with query caching enabled where users have access to query cache functionality. The issue stems from incompatible access control policies between the database and cache layers.
💻 Affected Systems
- Pgpool-II
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate sensitive database contents including personally identifiable information, financial data, or credentials through cached query results, potentially leading to data breaches and regulatory violations.
Likely Case
Unauthorized users with database access could retrieve cached query results containing data from tables they lack direct permissions for, leading to information disclosure and potential privilege escalation.
If Mitigated
With proper access controls, network segmentation, and query caching disabled, the impact is limited to authorized users only accessing their permitted data.
🎯 Exploit Status
Exploitation requires valid database user credentials and knowledge of query cache access methods. The vulnerability is straightforward to exploit once an attacker has database access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.4.5, 4.3.12, 4.2.19, or 4.1.27
Vendor Advisory: https://www.pgpool.net/mediawiki/index.php/Main_Page#News
Restart Required: Yes
Instructions:
1. Backup your Pgpool-II configuration and data. 2. Download the patched version from pgpool.net. 3. Stop Pgpool-II service. 4. Install the updated version. 5. Restart Pgpool-II service. 6. Verify the new version is running.
🔧 Temporary Workarounds
Disable Query Caching
linuxTemporarily disable query caching to prevent unauthorized data access through cache
# Edit pgpool.conf
memory_cache_enabled = off
# Restart Pgpool-II
systemctl restart pgpool
Restrict Cache Access
allImplement stricter access controls to limit which users can access query cache functionality
# Configure pool_hba.conf to restrict cache-related operations
# Review and tighten user permissions in pgpool.conf
🧯 If You Can't Patch
- Disable query caching completely in pgpool.conf configuration
- Implement network segmentation to restrict Pgpool-II access to trusted hosts only
🔍 How to Verify
Check if Vulnerable:
Check Pgpool-II version and query cache configuration: pgpool -v and review pgpool.conf for memory_cache_enabled settingCheck Version:
pgpool -vVerify Fix Applied:
Verify version is 4.4.5, 4.3.12, 4.2.19, or 4.1.27 or higher: pgpool -v📡 Detection & Monitoring
Log Indicators:
- Unusual query cache access patterns
- Multiple failed cache access attempts from same user
- Cache hits for queries from unauthorized users
Network Indicators:
- Unusual database query patterns through Pgpool-II
- Excessive cache-related network traffic
SIEM Query:
source="pgpool.log" AND ("cache" OR "query_cache") AND ("unauthorized" OR "permission denied")