CVE-2024-7348

CVSS 3.1 Score 7.5 of 10 (high)

Details

Published Aug 8, 2024
Updated: Aug 12, 2024
CWE ID 367

Summary

CVE-2024-7348 is a Time-of-check Time-of-use (TOCTOU) race condition vulnerability affecting versions of PostgreSQL before 16.4, 15.8, 14.13, 13.16, and 12.20. This issue allows an object creator to execute arbitrary SQL functions during pg_dump operations, often as a superuser. The exploit involves replacing another relation type with a view or foreign table, requiring the attacker to have an open transaction and wait for pg_dump to start. Once the race condition is won, the attacker can execute malicious SQL functions, posing a significant security risk.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Affected Products

  • PostgreSQL

Affected Vendors

  • PostgreSQL Global Development Group