HOMEVULNERABILITIESCVE-2024-0985
HIGH

CVE-2024-0985

CWE-271Published: February 8, 2024· Updated: Jun 17, 2026

8.0
CVSS v3.1

Official Description

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

NVD Source

Technical Analysis

CVE-2024-0985 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), availability disruption (denial of service), with a CVSS base score of 8.0.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorNetwork
Attack ComplexityLow
Privileges Req.Low
User InteractionRequired
ScopeUnchanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityHigh
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected Vendors & Products

postgresql1 product(s)
postgresql
Source: NVD CPE · 1 total CPE entries

Exploit & PoC Resources

NO KNOWN EXPLOITNo public exploit confirmed at this time
External links open in a new tab. Always verify in a controlled environment before use.

Official Patches & Advisories

News & Research Mentioning CVE-2024-0985

ABB Ability Symphony Plus Engineering
CISA Alerts· Apr 30, 2026

View CSAF Summary ABB became aware of vulnerability in the products versions listed as affected in the advisory. The ABB S+ Engineering product versions are affected by vulnerabilities in PostgreSQL version 13.11 and earlier versions. If an attacker gains access to a site’s S+ Client Server network, they could exploit such vulnerabilities by executing arbitrary code and potentially compromising the entire system. The following versions of ABB Ability Symphony Plus Engineering are affected: Ability Symphony Plus 2.2, 2.3, 2.3_RU1, 2.3_RU2, 2.3_RU3, 2.4, 2.4_SP1, 2.4_SP2, 2.4_SP2_RU1 CVSS Vendor Equipment Vulnerabilities v3 8.8 ABB ABB Ability Symphony Plus Engineering Integer Overflow or Wraparound, Improper Neutralization of Special Elements used in [xlite_meta score:73 src:CISA Alerts xlite_fp:5713cdccfd12845e89feabee111b425b5008b1f13895d37a7f84ca253c635bd1]

All References (7)

Quick Facts

CVE IDCVE-2024-0985
CVSS Score8.0 / 10
SeverityHIGH
WeaknessCWE-271
CISA KEVNo
Affected1 vendor(s)
PublishedFeb 8, 2024

Related CVEs (CWE-271)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2024-0985 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.