CVE-2024-7348

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

How to fix CVE-2024-7348

To remediate CVE-2024-7348, upgrade the affected package to a fixed version below.

• —upgrade to 14.13-r0 or later
• —upgrade to 15.8-r0 or later
• —upgrade to 16.4-r0 or later
• —upgrade to 12.20.0 or later
• —upgrade to 13.16-0+deb11u1 or later
• —upgrade to 13.16-0+deb11u1 or later
• —upgrade to 15.8-0+deb12u1 or later
• —upgrade to 15.8-0+deb12u1 or later

Is CVE-2024-7348 being exploited?

Low — EPSS is 0.7%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 14.13-r0
• from 0, < 15.8-r0
• from 0, < 16.4-r0
• from 0, < 12.20.0, >= 13.0.0, < 13.16.0, >= 14.0.0, < 14.13.0, >= 15.0.0, < 15.8.0, >= 16.0.0, < 16.4.0
• from 0, < 13.16-0+deb11u1
• from 0, < 13.16-0+deb11u1
• from 0, < 15.8-0+deb12u1
• from 0, < 15.8-0+deb12u1

CVSS scores

References (6)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-7348
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-7348
• WEBnvd.nist.gov/vuln/detail/CVE-2024-7348
• WEBsecurity.netapp.com/advisory/ntap-20240822-0002/
• WEB