PostgreSQL has released a security advisory, related to a vulnerability that exposes users to the risk of arbitrary SQL execution during pg_dump operations, potentially allowing attackers to execute harmful functions with elevated privileges.
The vulnerability tracked as CVE-2024-7348 with a CVSS score of 8.8, stems from a Time-of-check Time-of-use (TOCTOU) race condition within the pg_dump utility. The vulnerability allows an attacker with the ability to create objects within the database to exploit the race condition, enabling the execution of arbitrary SQL functions as the user running pg_dump. This user is often a superuser, making the potential impact of this vulnerability particularly severe.
The attack scenario involves replacing an existing relation type with a view or a foreign table just as pg_dump is being executed. This allows the attacker to insert malicious SQL code that gets executed with the privileges of the user running pg_dump, effectively compromising the database and potentially the entire system.
The following PostgreSQL versions are vulnerable:
- PostgreSQL 16 before 16.4
- PostgreSQL 15 before 15.8
- PostgreSQL 14 before 14.13
- PostgreSQL 13 before 13.16
- PostgreSQL 12 before 12.20
Its recommended to update their PostgreSQL installations to the latest patched versions immediately. The PostgreSQL project has released fixes for all supported versions.
For more details
