CVE-2024-7348 - PostgreSQL relation replacement during pg_dump executes arbitrary SQL

First Published: 2024/08/08

Last Updated: 2024/08/15

Important: This is an assessment of the impact of CVE-2024-7348 on EDB products and services. It links to and details the CVE and supplements that information with EDB's own assessment.

Summary

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Vulnerability Details

CVE-ID: CVE-2024-7348

CVSS Base Score: 7.5

CVSS Temporal Score: Undefined

CVSS Environmental Score: Undefined

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products and Versions

PostgreSQL

  • All versions of PostgreSQL prior to 16.4
  • All versions of PostgreSQL prior to 15.8
  • All versions of PostgreSQL prior to 14.13
  • All versions of PostgreSQL prior to 13.16
  • All versions of PostgreSQL prior to 12.20

EnterpriseDB Postgres Advanced Server

  • All versions of EPAS prior to 16.4
  • All versions of EPAS prior to 15.8
  • All versions of EPAS prior to 14.13
  • All versions of EPAS prior to 13.16.22
  • All versions of EPAS prior to 12.20.25

EnterpriseDB Postgres Extended

  • All versions of PGE prior to 16.4
  • All versions of PGE prior to 15.8
  • All versions of PGE prior to 14.13
  • All versions of PGE prior to 13.16
  • All versions of PGE prior to 12.20

Remediation

PostgreSQL Version Information

Affected VersionFixed InFix Published
All versions prior to 16.416.42024-08-08
All versions prior to 15.715.82024-08-08
All versions prior to 14.1214.132024-08-08
All versions prior to 13.1613.162024-08-08
All versions prior to 12.2012.202024-08-08

EDB Postgres Advanced Server Version Information

ProductVRMFRemediation/First Fix
EPASAll versions prior to 12.20.25Update to version 12.20.25 or later.
EPASAll versions prior to 13.16.22Update to version 13.16.22 or later.
EPASAll versions prior to 14.13Update to version 14.13 or later.
EPASAll versions prior to 15.8Update to version 15.8 or later.
EPASAll versions prior to 16.4Update to version 16.4 or later.

EDB Postgres Extended Version Information

ProductVRMFRemediation/First Fix
PGEAll versions prior to 12.20Update to version 12.20 or later.
PGEAll versions prior to 13.16Update to version 13.16 or later.
PGEAll versions prior to 14.13Update to version 14.13 or later.
PGEAll versions prior to 15.8Update to version 15.8 or later.
PGEAll versions prior to 16.4Update to version 16.4 or later.

Reference

Acknowledgement

The PostgreSQL project thanks Noah Misch for reporting this problem.

Change History

15 August 2024: Original Copy Published

Disclaimer

This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document is at your own risk. EDB reserves the right to change or update this document at any time. Customers are therefore recommended to always view the latest version of this document.


Could this page be better? Report a problem or suggest an addition!