CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
20.0%
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL
allows an object creator to execute arbitrary SQL functions as the user
running pg_dump, which is often a superuser. The attack involves replacing
another relation type with a view or foreign table. The attack requires
waiting for pg_dump to start, but winning the race condition is trivial if
the attacker retains an open transaction. Versions before PostgreSQL 16.4,
15.8, 14.13, 13.16, and 12.20 are affected.
Author | Note |
---|---|
leosilva | PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | postgresql-10 | < any | UNKNOWN |
ubuntu | 20.04 | noarch | postgresql-12 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | postgresql-14 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | postgresql-16 | < any | UNKNOWN |
ubuntu | 14.04 | noarch | postgresql-9.3 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | postgresql-9.5 | < any | UNKNOWN |
launchpad.net/bugs/cve/CVE-2024-7348
nvd.nist.gov/vuln/detail/CVE-2024-7348
security-tracker.debian.org/tracker/CVE-2024-7348
www.cve.org/CVERecord?id=CVE-2024-7348
www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910/
www.postgresql.org/support/security/CVE-2024-7348/