Amazon Linux 2023: CVE-2024-7348: Important priority package update for postgresql15

Amazon Linux 2023: CVE-2024-7348: Important priority package update for postgresql15

Severity

7

CVSS

(AV:N/AC:H/Au:S/C:C/I:C/A:C)

Published

08/08/2024

Created

02/14/2025

Added

02/14/2025

Modified

02/14/2025

Description

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. A vulnerability was found in PostgreSQL. A Race condition in pg_dump allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser.

Solution(s)

• amazon-linux-2023-upgrade-postgresql15
• amazon-linux-2023-upgrade-postgresql15-contrib
• amazon-linux-2023-upgrade-postgresql15-contrib-debuginfo
• amazon-linux-2023-upgrade-postgresql15-debuginfo
• amazon-linux-2023-upgrade-postgresql15-debugsource
• amazon-linux-2023-upgrade-postgresql15-docs
• amazon-linux-2023-upgrade-postgresql15-docs-debuginfo
• amazon-linux-2023-upgrade-postgresql15-llvmjit
• amazon-linux-2023-upgrade-postgresql15-llvmjit-debuginfo
• amazon-linux-2023-upgrade-postgresql15-plperl
• amazon-linux-2023-upgrade-postgresql15-plperl-debuginfo
• amazon-linux-2023-upgrade-postgresql15-plpython3
• amazon-linux-2023-upgrade-postgresql15-plpython3-debuginfo
• amazon-linux-2023-upgrade-postgresql15-pltcl
• amazon-linux-2023-upgrade-postgresql15-pltcl-debuginfo
• amazon-linux-2023-upgrade-postgresql15-private-devel
• amazon-linux-2023-upgrade-postgresql15-private-libs
• amazon-linux-2023-upgrade-postgresql15-private-libs-debuginfo
• amazon-linux-2023-upgrade-postgresql15-server
• amazon-linux-2023-upgrade-postgresql15-server-debuginfo
• amazon-linux-2023-upgrade-postgresql15-server-devel
• amazon-linux-2023-upgrade-postgresql15-server-devel-debuginfo
• amazon-linux-2023-upgrade-postgresql15-static
• amazon-linux-2023-upgrade-postgresql15-test
• amazon-linux-2023-upgrade-postgresql15-test-debuginfo
• amazon-linux-2023-upgrade-postgresql15-test-rpm-macros
• amazon-linux-2023-upgrade-postgresql15-upgrade
• amazon-linux-2023-upgrade-postgresql15-upgrade-debuginfo
• amazon-linux-2023-upgrade-postgresql15-upgrade-devel
• amazon-linux-2023-upgrade-postgresql15-upgrade-devel-debuginfo

References

• https://attackerkb.com/topics/cve-2024-7348
• CVE - 2024-7348
• https://alas.aws.amazon.com/AL2023/ALAS-2024-702.html