CVE-2024-45624 is a vulnerability identified in Pgpool-II, a widely used middleware that manages connection pooling and load balancing for PostgreSQL databases. The flaw arises from incompatible policies governing query caching, which inadvertently allow database users to access cached query results containing data they are not authorized to see. Specifically, when a user queries the cache, the system may return table data belonging to other users or roles, violating access control policies. This issue affects all versions in the 3.2 series of Pgpool-II. The vulnerability is exploitable remotely without requiring authentication or user interaction, making it particularly dangerous. The core weakness is classified under CWE-200 (Exposure of Sensitive Information). The CVSS 3.1 base score is 7.5, with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction needed, unchanged scope, and high confidentiality impact without affecting integrity or availability. Although no active exploits have been reported, the potential for unauthorized data disclosure is significant, especially in environments where Pgpool-II is used to manage sensitive or regulated data. The vulnerability highlights the importance of ensuring that caching mechanisms respect access control policies to prevent data leakage.

For European organizations, the exposure of sensitive information through Pgpool-II could lead to significant confidentiality breaches, particularly in sectors such as finance, healthcare, government, and critical infrastructure where PostgreSQL databases are common. Unauthorized data access could result in regulatory non-compliance with GDPR and other data protection laws, leading to legal penalties and reputational damage. The vulnerability's ease of exploitation without authentication increases the risk of external attackers gaining access to sensitive data. Organizations relying on Pgpool-II 3.2 for database connection pooling and query caching may inadvertently expose confidential information to unauthorized users or attackers. This could facilitate further attacks such as data theft, espionage, or insider threat exploitation. The lack of impact on integrity and availability means the primary concern is data confidentiality, but the breach itself can have cascading operational and strategic consequences.

Immediate mitigation should focus on restricting access to Pgpool-II instances to trusted networks and users only, employing network segmentation and firewall rules to limit exposure. Organizations should monitor and audit query cache usage and access logs to detect anomalous or unauthorized data retrieval attempts. Until an official patch is released, disabling or limiting query caching features in Pgpool-II 3.2 can reduce the risk of data leakage. Implementing strict role-based access controls and ensuring that database user permissions are tightly managed will help minimize unauthorized data exposure. Additionally, organizations should plan to upgrade to a patched version of Pgpool-II as soon as it becomes available. Regular vulnerability scanning and penetration testing targeting Pgpool-II deployments can help identify and remediate this and related issues proactively. Finally, educating database administrators about the risks associated with caching policies and access control misconfigurations is essential.