CVE-2024-7348

HIGH

PostgreSQL 12.0-12.19 - Time-of-check Time-of-use Race Condition in pg_dump

Title source: llm

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

References (3)

Core 3

Core References

Vendor Advisory

https://www.postgresql.org/support/security/CVE-2024-7348/

Mailing List

http://www.openwall.com/lists/oss-security/2024/08/11/1

Vendor Advisory

https://security.netapp.com/advisory/ntap-20240822-0002/

Scores

CVSS v3 8.8

EPSS 0.0076

EPSS Percentile 73.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-367

Status published

Products (1)

postgresql/postgresql 12.0 - 12.20

Published Aug 08, 2024

Tracked Since Feb 18, 2026