IBM Support

Security Bulletin: for Multiple CVEs : CVE-2024-10976 , CVE-2025-4207, CVE-2023-5870 and CVE-2025-1094

Created by PSIRT Functional ID on
Published URL:
https://www.ibm.com/support/pages/node/7249528
7249528

Security Bulletin


Summary

Security Bulletin for Multiple CVEs. Refer below Vulnerability details for more detials.

Vulnerability Details

CVEID:   CVE-2024-10976
DESCRIPTION:   Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State
CVSS Source:   NVD
CVSS Base score:   5.4
CVSS Vector:   (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2024-10978
DESCRIPTION:   Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-266: Incorrect Privilege Assignment
CVSS Source:   NVD
CVSS Base score:   4.2
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N)

CVEID:   CVE-2025-4207
DESCRIPTION:   Buffer over-read in PostgreSQL GB18030 encoding validation allows a database input provider to achieve temporary denial of service on platforms where a 1-byte over-read can elicit process termination. This affects the database server and also libpq. Versions before PostgreSQL 17.5, 16.9, 15.13, 14.18, and 13.21 are affected.
CWE:   CWE-126: Buffer Over-read
CVSS Source:   PostgreSQL
CVSS Base score:   5.9
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID:   CVE-2024-10977
DESCRIPTION:   Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CWE:   CWE-348: Use of Less Trusted Source
CVSS Source:   NVD
CVSS Base score:   3.7
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:   CVE-2023-5870
DESCRIPTION:   A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.
CWE:   CWE-400: Uncontrolled Resource Consumption
CVSS Source:   IBM X-Force
CVSS Base score:   2.2
CVSS Vector:   (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L)

CVEID:   CVE-2025-1094
DESCRIPTION:   Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
CWE:   CWE-149: Improper Neutralization of Quoting Syntax
CVSS Source:   NVD
CVSS Base score:   8.1
CVSS Vector:   (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s)Version(s)CVE reference
EDB Postgres Advanced Server17.2CVE-2024-10976
EDB Postgres Advanced Server17.5CVE-2025-4207
EDB Postgres Advanced Server16.9.0CVE-2025-4207
EDB Postgres Extended Server15.10CVE-2024-10976
EDB Postgres Extended Server14.0.0CVE-2025-4207
EDB Postgres Extended Server16.6CVE-2024-10976
PostgreSQL17.5CVE-2025-4207
PostgreSQL17.3CVE-2025-1094
PostgreSQL16.9CVE-2025-4207
PostgreSQL16.7CVE-2025-1094
PostgreSQL16.1CVE-2023-5870,
PostgreSQL15.5CVE-2023-5870
PostgreSQL15.13CVE-2025-4207
PostgreSQL15.11CVE-2025-1094
PostgreSQL14.18CVE-2025-4207
PostgreSQL14.10CVE-2023-5870
PostgreSQL14.16CVE-2025-1094
PostgreSQL13.19CVE-2025-1094
PostgreSQL13.13CVE-2023-5870
PostgreSQL12.17CVE-2023-5870
PostgreSQL11.22CVE-2023-5870

 

For CVE-2025-1094 :

EnterpriseDB Postgres Advanced Server (EPAS)

  • EPAS 13.0.0 - 17.3.0
  • EPAS 13.0.0 - 16.7.0
  • EPAS 13.0.0 - 15.11.0
  • AEPAS 13.0.0 - 14.16.0
  • EPAS 13.0.0 -  13.19.25

EnterpriseDB Postgres Extended

  • PGE 13.0 - 17.3
  • PGE 13.0 - 16.7
  • PGE 13.0 - 15.11
  • PGE 13.0 - 14.16
  • PGE 13.0 - 13.1


 

Remediation/Fixes

1. EDB Response and solution for CVE-2024-10976

  • For PostgreSQL users: Update to a fixed version of PostgreSQL to mitigate the risk.
  • For EDB Postgres Advanced Server users: Update to a fixed version, such as 15.10.0, to apply the security patch.

              

2. EDB's response and solution for CVE-2025-4207
  • Patching: EDB has released patched versions of its products that include the fix for CVE-2025-4207.
  • Examples of patched versions:
    • EDB Postgres Advanced Server 16.9.0 (release notes mention it includes the fix for CVE-2025-4207)
    • EDB Postgres Extended Server 14 (release notes mention it includes the fix for CVE-2025-4207)
  • Action required: Users of EDB products should upgrade to the latest patched versions to resolve the vulnerability. 

3. EDB's response and solution for CVE-2023-5870

     The issue was fixed in newer releases of PostgreSQL. You can mitigate the risk by:
  • Upgrading: Update your PostgreSQL installation to a version that is not affected by this vulnerability.
  • Checking extensions: Ensure any third-party or non-core extensions you use have resilient background workers that can auto-restart if terminated unexpectedly.
  • Reviewing privileges: Strictly limit the pg_signal_backend role only to trusted administrators, as the vulnerability requires an authenticated attacker with high privileges to exploit. 

 

4. CVE-2023-5870 > fixed: https://www.postgresql.org/support/security/CVE-2023-5870/ 

  1. Exploit Database (EDB): No public exploit for this CVE was found on the EDB. This is related to PostgresSQL, not EDB Postgres

    PostgreSQL and EDB PostgreSQL are related but not identical. PostgreSQL refers to the open-source, community-driven object-relational database management system (ORDBMS). It is a powerful and widely used database known for its reliability, feature set, and adherence to SQL standards.EDB PostgreSQL (or EnterpriseDB Postgres) refers to the products and services offered by EnterpriseDB (EDB), a company that provides enterprise-grade solutions based on PostgreSQL.

    b. 

    • Resolution: The vulnerability was addressed in subsequent releases of PostgreSQL.
      • PostgreSQL: Patched in versions 16.1, 15.5, 14.10, 13.13, and 12.17.
      • Red Hat: Addressed in an update for Red Hat Enterprise Linux 8.
      • EnterpriseDB (EDB): Specific versions of EDB Postgres Advanced Server (EPAS) are affected and should be patched. 

 

5.CVE-2025-1094 - PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation

The fix is included in the following versions: 17.3, 16.7, 15.11, 14.16, and 13.19.

PostgreSQL Version Information

Affected VersionFixed InFix Published
All versions prior to 17.317.32025-01-13
All versions prior to 16.316.72025-01-13
All versions prior to 15.715.112025-01-13
All versions prior to 14.1214.162025-01-13
All versions prior to 13.1913.192025-01-13

 

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off
  1. CVE-2024-10976 >
    1.  
      1.  
        1.  
          1.  https://www.enterprisedb.com/docs/pge/latest/release_notes/rel_notes17.2/
          2. https://www.postgresql.org/docs/17/release-17-2.html
          3. https://www.enterprisedb.com/docs/pge/15/release_notes/rel_notes15.10/
          4. https://www.enterprisedb.com/docs/pge/16/release_notes/rel_notes16.6/
  2. CVE-2025-4207 >https://www.enterprisedb.com/docs/epas/latest/epas_rel_notes/epas17_5_rel_notes/
  3. CVE-2023-5870 > fixed: https://www.postgresql.org/support/security/CVE-2023-5870/ 

    1. Exploit Database (EDB): No public exploit for this CVE was found on the EDB. This is related to PostgresSQL, not EDB Postgres

      PostgreSQL and EDB PostgreSQL are related but not identical.
      PostgreSQL refers to the open-source, community-driven object-relational database management system (ORDBMS). It is a powerful and widely used database known for its reliability, feature set, and adherence to SQL standards.
      EDB PostgreSQL (or EnterpriseDB Postgres) refers to the products and services offered by EnterpriseDB (EDB), a company that provides enterprise-grade solutions based on PostgreSQL.
  4. CVE-2025-1094 > https://www.enterprisedb.com/docs/security/assessments/cve-2025-1094/

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

None

Change History

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.

Document Location

Worldwide

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSQRYQ","label":"EDB Postgres Advanced Server with IBM"},"Component":"","Platform":[{"code":"PF033","label":"Windows"},{"code":"PF031","label":"Ubuntu"},{"code":"PF027","label":"Solaris"},{"code":"PF016","label":"Linux"},{"code":"PF040","label":"RedHat OpenShift"}],"Version":"All","Edition":"","Line of Business":{"code":"LOB76","label":"Data Platform"}}]

Document Information

Modified date:
29 October 2025

UID

ibm17249528

Page Feedback