CVE-2024-7348

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 16.4 PostgreSQL versions prior to 15.8 PostgreSQL versions prior to 14.13 PostgreSQL versions prior to 13.16 PostgreSQL versions prior to 12.20

Description A Time-of-check Time-of-use (TOCTOU) race condition in pg dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Approximately 3,929,844 devices are potentially affected, mainly distributed in the United States, Germany, and other countries.

Recommendations For versions prior to 16.4, upgrade to version 16.4 or later. For versions prior to 15.8, upgrade to version 15.8 or later. For versions prior to 14.13, upgrade to version 14.13 or later. For versions prior to 13.16, upgrade to version 13.16 or later. For versions prior to 12.20, upgrade to version 12.20 or later. As a temporary workaround, consider restricting access to the pg dump utility until a patch is available. Avoid using the pg dump utility with open transactions to minimize the risk of exploitation.

Fix

Time Of Check To Time Of Use

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-367

Related Identifiers

ALSA-2024:5927

ALSA-2024:5929

ALSA-2024:5999

ALSA-2024:6000

ALSA-2024:6001

ALSA-2024:6018

ALSA-2024:6020

ALT-PU-2024-10983

ALT-PU-2024-10985

ALT-PU-2024-10986

ALT-PU-2024-10987

ALT-PU-2024-10988

ALT-PU-2024-10989

ALT-PU-2024-10997

ALT-PU-2024-10999

ALT-PU-2024-11270

ALT-PU-2024-11272

ALT-PU-2024-11273

ALT-PU-2024-11274

ALT-PU-2024-11275

ALT-PU-2024-11276

ALT-PU-2024-11278

ALT-PU-2024-11279

ALT-PU-2024-11280

ALT-PU-2024-11281

ALT-PU-2024-11282

ALT-PU-2024-11579

ALT-PU-2024-11581

AZL-47636

AZL-47690

BDU:2024-06153

BIT-POSTGRESQL-2024-7348

CESA-2024_5927

CESA-2024_6000

CESA-2024_6001

CESA-2024_6018

CLEANSTART-2026-AI42483

CLEANSTART-2026-DJ71086

CLEANSTART-2026-EQ51133

CLEANSTART-2026-FW42039

CLEANSTART-2026-GI40937

CLEANSTART-2026-HJ04971

CLEANSTART-2026-JA70776

CLEANSTART-2026-KA40024

CLEANSTART-2026-WY43835

CLEANSTART-2026-ZC18474

CVE-2024-7348

DSA-5745-1

DSA-5746-1

ECHO-E561-1DAF-C313

INFSA-2024_5927

INFSA-2024_5929

INFSA-2024_5999

INFSA-2024_6000

INFSA-2024_6001

INFSA-2024_6018

INFSA-2024_6020

JLSEC-2026-52

MGASA-2024-0301

OESA-2024-1977

OESA-2024-2054

OESA-2024-2055

OESA-2024-2056

OESA-2025-1335

OPENSUSE-SU-2024:14348-1

OPENSUSE-SU-2024:14349-1

OPENSUSE-SU-2024:14350-1

OPENSUSE-SU-2024:14351-1

OPENSUSE-SU-2024:14360-1

OPENSUSE-SU-2024:14361-1

OPENSUSE-SU-2024_3153-1

OPENSUSE-SU-2024_3158-1

OPENSUSE-SU-2024_3159-1

OPENSUSE-SU-2024_3160-1

OPENSUSE-SU-2024_3168-1

OPENSUSE-SU-2024_3169-1

OPENSUSE-SU-2024_3170-1

OPENSUSE-SU-2024_3171-1

RHSA-2024:5927

RHSA-2024:5929

RHSA-2024:5999

RHSA-2024:6000

RHSA-2024:6001

RHSA-2024:6018

RHSA-2024:6020

RHSA-2024:6137

RHSA-2024:6138

RHSA-2024:6139

RHSA-2024:6140

RHSA-2024:6141

RHSA-2024:6142

RHSA-2024:6144

RHSA-2024:6145

RHSA-2024:6557

RHSA-2024:6558

RHSA-2024:6559

RHSA-2024:8495

RHSA-2024_5927

RHSA-2024_5929

RHSA-2024_5999

RHSA-2024_6000

RHSA-2024_6001

RHSA-2024_6018

RHSA-2024_6020

RLSA-2024:5927

RLSA-2024:5929

RLSA-2024:5999

RLSA-2024:6000

ROSA-SA-2025-2589

ROSA-SA-2025-2787

ROSA-SA-2025-2788

SUSE-SU-2024:3153-1

SUSE-SU-2024:3154-1

SUSE-SU-2024:3158-1

SUSE-SU-2024:3158-2

SUSE-SU-2024:3158-3

SUSE-SU-2024:3159-1

SUSE-SU-2024:3159-2

SUSE-SU-2024:3160-1

SUSE-SU-2024:3168-1

SUSE-SU-2024:3169-1

SUSE-SU-2024:3170-1

SUSE-SU-2024:3171-1

SUSE-SU-2024:3181-1

SUSE-SU-2024:3191-1

SUSE-SU-2024:3192-1

SUSE-SU-2024:3224-1

SUSE-SU-2024_3153-1

SUSE-SU-2024_3154-1

SUSE-SU-2024_3158-1

SUSE-SU-2024_3158-2

SUSE-SU-2024_3158-3

SUSE-SU-2024_3160-1

SUSE-SU-2024_3168-1

SUSE-SU-2024_3169-1

SUSE-SU-2024_3170-1

SUSE-SU-2024_3171-1

SUSE-SU-2024_3181-1

SUSE-SU-2024_3191-1

SUSE-SU-2024_3192-1

SUSE-SU-2024_3224-1

USN-6968-1

USN-6968-2

USN-6968-3

Affected Products

Alt Linux

Almalinux

Astra Linux

Centos

Linuxmint

Postgresql

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

Zvirt Node

CVE-2024-7348

Weakness Enumeration

Related Identifiers

Affected Products

References · 313