CVE-2024-7348

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-7348
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7348.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-7348
Aliases
Downstream
Related
Published
2024-08-08T13:15:14.007Z
Modified
2026-03-15T22:50:56.418702Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Time-of-check Time-of-use (TOCTOU) race condition in pgdump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pgdump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

References

Affected packages

Git /

Affected ranges

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-7348.json"
unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "12.0"
            },
            {
                "fixed": "12.20"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "13.0"
            },
            {
                "fixed": "13.16"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "14.0"
            },
            {
                "fixed": "14.13"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "15.0"
            },
            {
                "fixed": "15.8"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "16.0"
            },
            {
                "fixed": "16.4"
            }
        ]
    }
]