Monday, January 13, 2025
HomeCVE/vulnerabilityPostgreSQL Vulnerability Allows Hackers To Execute Arbitrary SQL Functions

PostgreSQL Vulnerability Allows Hackers To Execute Arbitrary SQL Functions

Published on

A critical vulnerability identified as CVE-2024-7348 has been discovered in PostgreSQL, enabling attackers to execute arbitrary SQL functions.

This vulnerability in the pg_dump utility poses a significant security risk, especially when executed by superusers.

CVE-2024-7348 – Vulnerability Details

The flaw is a Time-of-check Time-of-use (TOCTOU) race condition in the pg_dump process. An attacker can exploit this by replacing another relation type with a view or foreign table, allowing them to execute arbitrary SQL functions.

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access

The attack requires precise timing to coincide with the start of pg_dump, but the race condition is easily won if the attacker maintains an open transaction.

Affected Versions

The vulnerability affects PostgreSQL versions before 16.4, 15.8, 14.13, 13.16, and 12.20. The PostgreSQL project has released patches for these versions as of August 8, 2024. Users are strongly advised to update their systems to these fixed versions to mitigate the risk.

Version Information

Affected VersionFixed InFix Published
1616.4Aug. 8, 2024
1515.8Aug. 8, 2024
1414.13Aug. 8, 2024
1313.16Aug. 8, 2024
1212.20Aug. 8, 2024

Security Assessment

The vulnerability has been assigned a CVSS 3.0 overall score of 8.8, indicating a high severity level.

The core server component is affected, with the vector described as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, highlighting the potential for significant confidentiality, integrity, and availability impacts.

The PostgreSQL project acknowledges Noah Misch for reporting this issue. Users who discover new security vulnerabilities are encouraged to contact the PostgreSQL security team. For non-security-related bugs, users should refer to the Report a Bug page.

This vulnerability underscores the importance of timely updates and vigilant security practices to protect sensitive data and maintain system integrity.

Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...

RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Critical macOS Vulnerability Lets Hackers to Bypass Apple’s System Integrity Protection

Microsoft Threat Intelligence has uncovered a critical macOS vulnerability that allowed attackers to bypass...

CISA Released A Free Guide to Enhance OT Product Security

To address rising cyber threats targeting critical infrastructure, the U.S. Cybersecurity and Infrastructure Security...

Microsoft Warns of MFA Issue Affecting Microsoft 365 users

Microsoft has issued a warning regarding an ongoing issue with Multi-Factor Authentication (MFA) that...