ALPINE-CVE-2024-0985 — Vulnetix

Try Vulnetix Request Demo

ALPINE-CVE-2024-0985 PUBLISHED CVSS 8 HIGH

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

Risk Scores

CVSS v3.1

8

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.16	postgresql14	9.0.1-r0, 9.0.3-r0, 9.0.3-r1
Alpine:v3.19	postgresql16	16.1-r0, 16.0-r2, 16.0-r1
Alpine:v3.19	postgresql15	15.3-r0, 15.3-r1, 15.4-r0
Alpine:v3.20	postgresql15	15.3-r1, 15.5-r0, 15.4-r2
Alpine:v3.22	postgresql16	0, 16.0-r0, 16.0-r1
Alpine:v3.17	postgresql14	9.6.2-r1, 0, 10.0-r0
Alpine:v3.16	postgresql13	13.7-r1, 13.6-r3, 13.6-r2
Alpine:v3.17	postgresql15	0, 15.1-r0, 15.2-r0
Alpine:v3.18	postgresql15	15.2-r2, 15.1-r0, 15.1-r1
Alpine:v3.20	postgresql16	0, 16.1-r0, 16.0-r2
Alpine:v3.21	postgresql16	0, 16.0-r0, 16.0-r1
Alpine:v3.18	postgresql14	14.3-r0, 14.3-r1, 14.4-r0

Timeline

Feb 8, 2024 CVE Published
Nov 19, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2024-0985 advisory

Open in Interactive Console →