vulnerability
FreeBSD: VID-48e6d514-5568-11ef-af48-6cc21735f730 (CVE-2024-7348): PostgreSQL -- Prevent unauthorized code execution during pg_dump
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 9 | (AV:N/AC:L/Au:S/C:C/I:C/A:C) | Aug 8, 2024 | Aug 8, 2024 | Dec 10, 2025 |
Severity
9
CVSS
(AV:N/AC:L/Au:S/C:C/I:C/A:C)
Published
Aug 8, 2024
Added
Aug 8, 2024
Modified
Dec 10, 2025
Description
PostgreSQL project reports: An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
Solutions
freebsd-upgrade-package-postgresql12-clientfreebsd-upgrade-package-postgresql13-clientfreebsd-upgrade-package-postgresql14-clientfreebsd-upgrade-package-postgresql15-clientfreebsd-upgrade-package-postgresql16-clientfreebsd-upgrade-package-postgresql12-serverfreebsd-upgrade-package-postgresql13-serverfreebsd-upgrade-package-postgresql14-serverfreebsd-upgrade-package-postgresql15-serverfreebsd-upgrade-package-postgresql16-server
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.