Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-7348

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Published

2024-08-08T13:15:14.007

Last Modified

2024-11-21T09:51:20.720

Status

Modified

Source

f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Severity

CVSSv3.1: 8.8 (HIGH)

Weaknesses

Type: Secondary
CWE-367
Type: Primary
CWE-367

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	postgresql	postgresql	< 12.20	Yes
Application	postgresql	postgresql	< 13.16	Yes
Application	postgresql	postgresql	< 14.13	Yes
Application	postgresql	postgresql	< 15.8	Yes
Application	postgresql	postgresql	< 16.4	Yes

References

https://www.postgresql.org/support/security/CVE-2024-7348/ Vendor Advisory (f86ef6dc-4d3a-42ad-8f28-e6d5547a5007)
http://www.openwall.com/lists/oss-security/2024/08/11/1 (af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20240822-0002/ (af854a3a-2127-422b-91ae-364da2661108)