September 26, 2024: PostgreSQL 17 Released!

CVE-2024-4317

Restrict visibility of "pg_stats_ext" and "pg_stats_ext_exprs" entries to the table owner

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes, which are provided as a convenience in the below section. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.

This fix only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after this fix is applied. If you have a current PostgreSQL installation and are concerned about this issue, please use the following remediation steps to fix the issue:

  1. Find the SQL script fix-CVE-2024-4317.sql in the share directory of your PostgreSQL installation (e.g. in /usr/share/postgresql/), or download it from the PostgreSQL git repository from one of the URLs below. You will need to use the script that matches your major version:

  2. PostgreSQL 16: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_16_STABLE

  3. PostgreSQL 15: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_15_STABLE
  4. PostgreSQL 14: https://git.postgresql.org/gitweb/?p=postgresql.git;a=blob;f=src/backend/catalog/fix-CVE-2024-4317.sql;hb=refs/heads/REL_14_STABLE

From the above URLs, you can click the URL that says "raw" to download a version that you can copy and paste.

Be sure to use the script appropriate to your PostgreSQL major version. If you do not see this file, either your version is not vulnerable (only PostgreSQL 14, 15, and 16 are affected) or your minor version is too old to have the fix.

  1. In each database of the cluster, run the fix-CVE-2024-4317.sql script as a database superuser. For example, in psql, with the file located in /usr/share/postgresql/, this command would look like:

\i /usr/share/postgresql/fix-CVE-2024-4317.sql

  1. You must also execute this script in the template0 and template1 databases, or the vulnerability will still exist in databases you create later. To fix template0, you'll need to temporarily allow it accept connections. You can do this with the following command:

ALTER DATABASE template0 WITH ALLOW_CONNECTIONS true;

After executing the fix-CVE-2024-4317.sql script in template0 and template1, you should revoke the ability for template0 to accept connections. You can do this with the following command:

ALTER DATABASE template0 WITH ALLOW_CONNECTIONS false;

The PostgreSQL project thanks Lukas Fittl for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
16 16.3 May 9, 2024
15 15.7 May 9, 2024
14 14.12 May 9, 2024

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 3.1
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to security@postgresql.org.

For reporting non-security bugs, please see the Report a Bug page.