Attackers Can Execute Arbitrary SQL Functions via Time-of-check Time-of-use Race Condition in PostgreSQL's pg_dump
CVE-2024-7348
Summary
The vulnerability identified as CVE-2024-7348 in the PostgreSQL database system allows attackers to execute arbitrary SQL functions, posing a significant security risk, particularly for superusers running the pg_dump utility. This is a Time-of-check Time-of-use (TOCTOU) race condition that can be exploited by replacing relation types with a view or foreign table. The attack is particularly easy to win if the attacker maintains an open transaction. Systems running PostgreSQL versions prior to 16.4, 15.8, 14.13, 13.16, and 12.20 are affected, and the PostgreSQL project has released patches for these versions. It is important for users to update their systems promptly to mitigate the risk of unauthorized SQL function execution. The vulnerability has been assigned a high severity rating due to its potential confidentiality, integrity, and availability impacts. The attack has not been exploited in the wild, and there is no evidence of ransomware groups targeting this vulnerability.
Affected Version(s)
PostgreSQL 16 < 16.4
PostgreSQL 15 < 15.8
PostgreSQL 14 < 14.13
Get notified when SecurityVulnerability.io launches alerting 🔔
Well keep you posted 📧
News Articles
GBHackers on SecurityCVE-2024-7348PostgreSQL Vulnerability Allows Hackers To Execute Arbitrary SQL Functions
PostgreSQL Vulnerability, pg_dump utility poses a significant security risk, especially when executed by superusers.
PostgreSQL: Neue Sicherheitslücke! Schwachstelle ermöglicht Privilegieneskalation
Das BSI hat einen aktuellen IT-Sicherheitshinweis für PostgreSQL veröffentlicht. Mehr über die betroffenen Betriebssysteme und Produkte sowie CVE-Nummern erfahren Sie hier auf news.de.
References
CVSS V3.1
Timeline
- 📰
First article discovered by News.de
Vulnerability published