CVE-2024-7348 - PostgreSQL relation replacement during pg_dump executes arbitrary SQL
Suggest editsFirst Published: 2024/08/08
Last Updated: 2024/08/15
Important: This is an assessment of the impact of CVE-2024-7348 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.
Summary
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Vulnerability Details
CVE-ID: CVE-2024-7348
CVSS Base Score: 7.5
CVSS Temporal Score: Undefined
CVSS Environmental Score: Undefined
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products and Versions
PostgreSQL
- All versions of PostgreSQL prior to 16.4
- All versions of PostgreSQL prior to 15.8
- All versions of PostgreSQL prior to 14.13
- All versions of PostgreSQL prior to 13.16
- All versions of PostgreSQL prior to 12.20
EnterpriseDB Postgres Advanced Server
- All versions of EPAS prior to 16.4
- All versions of EPAS prior to 15.8
- All versions of EPAS prior to 14.13
- All versions of EPAS prior to 13.16.22
- All versions of EPAS prior to 12.20.25
EnterpriseDB Postgres Extended
- All versions of PGE prior to 16.4
- All versions of PGE prior to 15.8
- All versions of PGE prior to 14.13
- All versions of PGE prior to 13.16
- All versions of PGE prior to 12.20
Remediation
PostgreSQL Version Information
| Affected Version | Fixed In | Fix Published |
|---|---|---|
| All versions prior to 16.4 | 16.4 | 2024-08-08 |
| All versions prior to 15.7 | 15.8 | 2024-08-08 |
| All versions prior to 14.12 | 14.13 | 2024-08-08 |
| All versions prior to 13.16 | 13.16 | 2024-08-08 |
| All versions prior to 12.20 | 12.20 | 2024-08-08 |
EDB Postgres Advanced Server Version Information
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| EPAS | All versions prior to 12.20.25 | Update to version 12.20.25 or later. |
| EPAS | All versions prior to 13.16.22 | Update to version 13.16.22 or later. |
| EPAS | All versions prior to 14.13 | Update to version 14.13 or later. |
| EPAS | All versions prior to 15.8 | Update to version 15.8 or later. |
| EPAS | All versions prior to 16.4 | Update to version 16.4 or later. |
EDB Postgres Extended Version Information
| Product | VRMF | Remediation/First Fix |
|---|---|---|
| PGE | All versions prior to 12.20 | Update to version 12.20 or later. |
| PGE | All versions prior to 13.16 | Update to version 13.16 or later. |
| PGE | All versions prior to 14.13 | Update to version 14.13 or later. |
| PGE | All versions prior to 15.8 | Update to version 15.8 or later. |
| PGE | All versions prior to 16.4 | Update to version 16.4 or later. |
Reference
Related Information
Acknowledgement
The PostgreSQL project thanks Noah Misch for reporting this problem.
Change History
15 August 2024: Original Copy Published
Disclaimer
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.
Could this page be better? Report a problem or suggest an addition!