Security Flaw in PostgreSQL: CVE-2024-7348 Allows Arbitrary SQL Execution
The PostgreSQL project has issued a security advisory, warning users of a serious vulnerability (CVE-2024-7348). The flaw, which carries a CVSS score of 8.8, exposes users to the risk of arbitrary SQL execution during pg_dump operations, potentially allowing attackers to execute harmful functions with elevated privileges.
CVE-2024-7348 stems from a Time-of-check Time-of-use (TOCTOU) race condition within the pg_dump utility—a tool commonly used for backing up PostgreSQL databases. The vulnerability allows an attacker with the ability to create objects within the database to exploit the race condition, enabling the execution of arbitrary SQL functions as the user running pg_dump. This user is often a superuser, making the potential impact of this vulnerability particularly severe.
The attack scenario involves replacing an existing relation type—such as a table—with a view or a foreign table just as pg_dump is being executed. This crafty maneuver allows the attacker to insert malicious SQL code that gets executed with the privileges of the user running pg_dump, effectively compromising the database and potentially the entire system.
Affected Versions
The following PostgreSQL versions are vulnerable:
- PostgreSQL 16 before 16.4
- PostgreSQL 15 before 15.8
- PostgreSQL 14 before 14.13
- PostgreSQL 13 before 13.16
- PostgreSQL 12 before 12.20
Immediate Action Required
All users are strongly urged to update their PostgreSQL installations to the latest patched versions immediately. The PostgreSQL project has released fixes for all supported versions, and detailed instructions for updating are available on their website. You can download the latest PostgreSQL version here.
