TencentOS Server 3: postgresql:15 (TSSA-2024:1121)

🗓️ 16 Jun 2025 00:00:00Reported by TenableType

TencentOS Server 3 is vulnerable to multiple PostgreSQL issues affecting security policies and privileges.

Reporter	Title	Published	Views	Family All 775
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities in IBM API Connect	15 Mar 202500:18	–	ibm
IBM Security Bulletins	Security Bulletin: Multiple Security Vulnerabilities were identified in IBM Security Verify Access.	9 Jan 202420:27	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Guardium Data Protection is affected by a PostgreSQL vulnerability (CVE-2024-10979, CVE-2024-10976, CVE-2024-10978).	19 Jun 202505:35	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to CVE-2024-10979	29 Jan 202503:19	–	ibm
IBM Security Bulletins	Security Bulletin: IBM QRadar SIEM contains multiple vulnerabilities	26 Mar 202504:11	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Direct Web Service is vulnerable to CVE-2024-10976	29 Jan 202503:17	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Data Risk Manager is affected by multiple vulnerabilities (CVE-2023-2454, CVE-2023-2455)	6 Sep 202305:39	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2023-2455)	3 Jul 202304:16	–	ibm
IBM Security Bulletins	Security Bulletin: Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management	28 Jul 202315:32	–	ibm
IBM Security Bulletins	Security Bulletin: for Multiple CVEs : CVE-2024-10976 , CVE-2025-4207, CVE-2023-5870 and CVE-2025-1094	29 Oct 202510:29	–	ibm

Source	Link
mirrors	www.mirrors.tencent.com/tlinux/errata/tssa-20241121.xml
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Tencent Linux Security Advisory TSSA-2024:1121.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(238732);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/04");

  script_cve_id("CVE-2024-10976", "CVE-2024-10978", "CVE-2024-10979");

  script_name(english:"TencentOS Server 3: postgresql:15 (TSSA-2024:1121)");

  script_set_attribute(attribute:"synopsis", value:
"The remote TencentOS Server 3 host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is,
therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1121 advisory.

    Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

    CVE-2024-10976:
    Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change
    different rows from those intended.  CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row
    security and user ID changes.  They missed cases where a subquery, WITH query, security invoker view, or
    SQL-language function references a table with a row-level security policy.  This has the same consequences
    as the two earlier CVEs.  That is to say, it leads to potentially incorrect policies being applied in
    cases where role-specific policies are used and a given query is planned under one role and then executed
    under other roles.  This scenario can happen under security definer functions or when a common user and
    query is planned initially and then re-used across multiple SET ROLEs.  Applying an incorrect policy may
    permit a user to complete otherwise-forbidden reads and modifications.  This affects only databases that
    have used CREATE POLICY to define a row security policy.  An attacker must tailor an attack to a
    particular application's pattern of query plan reuse, user ID changes, and role-specific row security
    policies.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

    CVE-2024-10978:
    Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change
    different rows from those intended.  An attack requires the application to use SET ROLE, SET SESSION
    AUTHORIZATION, or an equivalent feature.  The problem arises when an application query uses parameters
    from the attacker or conveys query results to the attacker.  If that query reacts to
    current_setting('role') or the current user ID, it may modify or return data as though the session had not
    used SET ROLE or SET SESSION AUTHORIZATION.  The attacker does not control which incorrect user ID
    applies.  Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION
    AUTHORIZATION are not sandboxes for unvetted queries.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14,
    13.17, and 12.21 are affected.

    CVE-2024-10979:
    Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to
    change sensitive process environment variables (e.g. PATH).  That often suffices to enable arbitrary code
    execution, even if the attacker lacks a database server operating system user.  Versions before PostgreSQL
    17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://mirrors.tencent.com/tlinux/errata/tssa-20241121.xml");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-10979");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/12/05");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/12/05");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/16");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:tencent:tencentos_server:3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:tencent:tencentos_server:postgresql");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tencent Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info2.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/etc/os-release", "Host/TencentOS/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'TencentOS' >!< os_product) audit(AUDIT_OS_NOT, 'TencentOS');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'TencentOS');
if (! preg(pattern:"^3([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'TencentOS 3.x', 'TencentOS ' + os_version);

if (!get_kb_item('Host/TencentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'TencentOS', cpu);

var constraints = [
  {
    'release': '3',
    'pkgs': [
      {'reference':'pg_repack-debuginfo-1.4.8-1.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pg_repack-debuginfo-1.4.8-1.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pg_repack-debugsource-1.4.8-1.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pg_repack-debugsource-1.4.8-1.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pgaudit-debuginfo-1.7.0-1.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pgaudit-debuginfo-1.7.0-1.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pgaudit-debugsource-1.7.0-1.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'pgaudit-debugsource-1.7.0-1.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgres-decoderbufs-debuginfo-1.9.7-1.Final.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgres-decoderbufs-debuginfo-1.9.7-1.Final.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el8.8.0+529+32b8dcc8', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgres-decoderbufs-debugsource-1.9.7-1.Final.module+el8.8.0+529+32b8dcc8', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-contrib-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-contrib-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-contrib-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-contrib-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-debugsource-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-debugsource-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-docs-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-docs-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-docs-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-docs-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plperl-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plperl-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plperl-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plperl-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plpython3-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plpython3-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plpython3-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-plpython3-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-pltcl-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-pltcl-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-pltcl-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-pltcl-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-libs-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-libs-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-libs-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-private-libs-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-devel-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-server-devel-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-static-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-static-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-test-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-test-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-test-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-test-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-test-rpm-macros-15.10-1.module+el8.10.0+712+a2680f84', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-devel-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-devel-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'aarch64', 'rpm_spec_vers_cmp':TRUE},
      {'reference':'postgresql-upgrade-devel-debuginfo-15.10-1.module+el8.10.0+712+a2680f84', 'cpu':'x86_64', 'rpm_spec_vers_cmp':TRUE}
    ]
  }
];

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
  # Check that the target release is equal to the affected release
  if (!empty_or_null(constraint['release'])){
    if (constraint['release'] != os_release) continue;
  }
  if (!empty_or_null(constraint['sp'])){
    if (constraint['sp'] != os_sp) continue;
  }
  foreach var pkg ( constraint['pkgs'] ) {
    reference = NULL;
    sp = NULL;
    _cpu = NULL;
    el_string = NULL;
    rpm_spec_vers_cmp = NULL;
    epoch = NULL;
    allowmaj = NULL;
    exists_check = NULL;
    cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        ## (no known rpm to check OR known rpm_exists)
        (!exists_check || rpm_exists(rpm:exists_check)) &&
        rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'pg_repack-debuginfo / pg_repack-debugsource / pgaudit-debuginfo / etc');
}

04 Dec 2025 00:00Current

7.3High risk

Vulners AI Score7.3

CVSS 25

CVSS 37.5

CVSS 3.18.8

EPSS0.06356

SSVC