CVE-2024-7348
CVSS 3.1 Score 7.5 of 10 (high)
Details
Published Aug 8, 2024
Updated: Aug 12, 2024
CWE ID 367
Summary
CVE-2024-7348 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability affecting versions of PostgreSQL before 16.4, 15.8, 14.13, 13.16, and 12.20. This issue allows an object creator to execute arbitrary SQL functions during pg_dump operations, often as a superuser. The exploit involves replacing another relation type with a view or foreign table, requiring the attacker to have an open transaction and wait for pg_dump to start. Once the race condition is won, the attacker can execute malicious SQL functions, posing a significant security risk.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share
Affected Products
- PostgreSQL
Affected Vendors
- PostgreSQL Global Development Group