FreeBSD: VID-48E6D514-5568-11EF-AF48-6CC21735F730 (CVE-2024-7348): PostgreSQL -- Prevent unauthorized code execution during pg_dump

FreeBSD: VID-48E6D514-5568-11EF-AF48-6CC21735F730 (CVE-2024-7348): PostgreSQL -- Prevent unauthorized code execution during pg_dump

Severity

9

CVSS

(AV:N/AC:M/Au:S/C:C/I:C/A:C)

Published

08/08/2024

Created

08/10/2024

Added

08/08/2024

Modified

01/28/2025

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Solution(s)

• freebsd-upgrade-package-postgresql12-client
• freebsd-upgrade-package-postgresql12-server
• freebsd-upgrade-package-postgresql13-client
• freebsd-upgrade-package-postgresql13-server
• freebsd-upgrade-package-postgresql14-client
• freebsd-upgrade-package-postgresql14-server
• freebsd-upgrade-package-postgresql15-client
• freebsd-upgrade-package-postgresql15-server
• freebsd-upgrade-package-postgresql16-client
• freebsd-upgrade-package-postgresql16-server

References

• CVE-2024-7348