1. Home
  2. CVE Database
  3. CVE-2024-2339
HIGH · 8.0

CVE-2024-2339

PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that fun...

Vulnerability Description

PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that function. When a privileged user applies the masking rules using the static masking or the anonymous dump method, the malicious code is executed and can grant escalated privileges to the malicious user. PostgreSQL Anonymizer v1.2 does provide a protection against this risk with the restrict_to_trusted_schemas option, but that protection is incomplete. Users that don't own a table, especially masked users cannot exploit this vulnerability. The problem is resolved in v1.3.

CVSS Score

8.0

HIGH

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
HIGH
User Interaction
NONE
Scope
CHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
DaliboAnonymizer1.2.0

Related Weaknesses (CWE)

CWE-20

References

FAQ

What is CVE-2024-2339?

CVE-2024-2339 is a vulnerability with a CVSS score of 8.0 (HIGH). PostgreSQL Anonymizer v1.2 contains a vulnerability that allows a user who owns a table to elevate to superuser. A user can define a masking function for a column and place malicious code in that fun...

How severe is CVE-2024-2339?

CVE-2024-2339 has been rated HIGH with a CVSS base score of 8.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-2339?

Check the references section above for vendor advisories and patch information. Affected products include: Dalibo Anonymizer.