CVE-2024-7348

Published: Aug 8, 2024Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.6 / Impact: 5.9

Source: NVD

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Affected (5)

Products: Postgresql: Postgresql

Postgresql

1 product

Postgresql

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	From 12.0 to 12.20
Postgresql Postgresql	From 13.0 to 13.16
Postgresql Postgresql	From 14.0 to 14.13
Postgresql Postgresql	From 15.0 to 15.8
Postgresql Postgresql	From 16.0 to 16.4

Related CWEs

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. This can cause the product to perform invalid actions when the resource is in an unexpected state.

References (3)

https://www.postgresql.org/support/security/CVE-2024-7348/

Source: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007

Vendor Advisory

http://www.openwall.com/lists/oss-security/2024/08/11/1

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.netapp.com/advisory/ntap-20240822-0002/

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.