Rapid7 Vulnerability & Exploit Database

Red Hat: CVE-2024-7348: postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (Multiple Advisories)

Free InsightVM Trial No Credit Card Necessary

2024 Attack Intel Report Latest research by Rapid7 Labs

Back to Search

Red Hat: CVE-2024-7348: postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (Multiple Advisories)

Severity

CVSS

(AV:N/AC:H/Au:S/C:C/I:C/A:C)

Published

08/08/2024

Created

09/14/2024

Added

09/13/2024

Modified

09/13/2024

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Solution(s)

redhat-upgrade-pg_repack
redhat-upgrade-pg_repack-debuginfo
redhat-upgrade-pg_repack-debugsource
redhat-upgrade-pgaudit
redhat-upgrade-pgaudit-debuginfo
redhat-upgrade-pgaudit-debugsource
redhat-upgrade-postgres-decoderbufs
redhat-upgrade-postgres-decoderbufs-debuginfo
redhat-upgrade-postgres-decoderbufs-debugsource
redhat-upgrade-postgresql
redhat-upgrade-postgresql-contrib
redhat-upgrade-postgresql-contrib-debuginfo
redhat-upgrade-postgresql-debuginfo
redhat-upgrade-postgresql-debugsource
redhat-upgrade-postgresql-docs
redhat-upgrade-postgresql-docs-debuginfo
redhat-upgrade-postgresql-plperl
redhat-upgrade-postgresql-plperl-debuginfo
redhat-upgrade-postgresql-plpython3
redhat-upgrade-postgresql-plpython3-debuginfo
redhat-upgrade-postgresql-pltcl
redhat-upgrade-postgresql-pltcl-debuginfo
redhat-upgrade-postgresql-private-devel
redhat-upgrade-postgresql-private-libs
redhat-upgrade-postgresql-private-libs-debuginfo
redhat-upgrade-postgresql-server
redhat-upgrade-postgresql-server-debuginfo
redhat-upgrade-postgresql-server-devel
redhat-upgrade-postgresql-server-devel-debuginfo
redhat-upgrade-postgresql-static
redhat-upgrade-postgresql-test
redhat-upgrade-postgresql-test-debuginfo
redhat-upgrade-postgresql-test-rpm-macros
redhat-upgrade-postgresql-upgrade
redhat-upgrade-postgresql-upgrade-debuginfo
redhat-upgrade-postgresql-upgrade-devel
redhat-upgrade-postgresql-upgrade-devel-debuginfo

References

CVE-2024-7348
RHSA-2024:5927
RHSA-2024:5929
RHSA-2024:5999
RHSA-2024:6000
RHSA-2024:6001
RHSA-2024:6018
RHSA-2024:6020
RHSA-2024:6137
RHSA-2024:6140
RHSA-2024:6141
RHSA-2024:6142
RHSA-2024:6145

Advanced vulnerability management analytics and reporting.

Key Features

Lightweight Endpoint Agent
Live Dashboards
Real Risk Prioritization
IT-Integrated Remediation Projects
Cloud, Virtual, and Container Assessment
Integrated Threat Feeds
Easy-to-Use RESTful API
Automation-Assisted Patching
Automated Containment

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;

Rapid7 Vulnerability & Exploit Database

Red Hat: CVE-2024-7348: postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (Multiple Advisories)

Red Hat: CVE-2024-7348: postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL (Multiple Advisories)

Description

Solution(s)

References

Success! Thank you for submission. We will be in touch shortly.

Oops! There was a problem in submission. Please try again.

Submit your information and we will get in touch with you.