A critical vulnerability identified as CVE-2024-7348 has been discovered in PostgreSQL, enabling attackers to execute arbitrary SQL functions.
This vulnerability in the pg_dump utility poses a significant security risk, especially when executed by superusers.
The flaw is a Time-of-check Time-of-use (TOCTOU) race condition in the pg_dump process. An attacker can exploit this by replacing another relation type with a view or foreign table, allowing them to execute arbitrary SQL functions.
Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Access
The attack requires precise timing to coincide with the start of pg_dump, but the race condition is easily won if the attacker maintains an open transaction.
Affected Versions
The vulnerability affects PostgreSQL versions before 16.4, 15.8, 14.13, 13.16, and 12.20. The PostgreSQL project has released patches for these versions as of August 8, 2024. Users are strongly advised to update their systems to these fixed versions to mitigate the risk.
Version Information
| Affected Version | Fixed In | Fix Published |
| 16 | 16.4 | Aug. 8, 2024 |
| 15 | 15.8 | Aug. 8, 2024 |
| 14 | 14.13 | Aug. 8, 2024 |
| 13 | 13.16 | Aug. 8, 2024 |
| 12 | 12.20 | Aug. 8, 2024 |
The vulnerability has been assigned a CVSS 3.0 overall score of 8.8, indicating a high severity level.
The core server component is affected, with the vector described as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, highlighting the potential for significant confidentiality, integrity, and availability impacts.
The PostgreSQL project acknowledges Noah Misch for reporting this issue. Users who discover new security vulnerabilities are encouraged to contact the PostgreSQL security team. For non-security-related bugs, users should refer to the Report a Bug page.
This vulnerability underscores the importance of timely updates and vigilant security practices to protect sensitive data and maintain system integrity.
Download Free Cybersecurity Planning Checklist for SME Leaders (PDF) – Free Download
MathWorks, the renowned developer of MATLAB and Simulink, has been grappling with the aftermath of…
On May 27, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released a new Industrial…
The Chrome team at Google has officially released Chrome 137 to the stable channel for…
Mozilla has released Firefox 139, addressing several critical and moderate security vulnerabilities that posed significant…
INE Security, a global cybersecurity training and certification provider, today announced a strategic partnership with…
DocuSign has emerged as a cornerstone for over 1.6 million customers worldwide, including 95% of…
%20(1).webp?w=1600&resize=1600,900&ssl=1)
%20(1).webp?w=1600&resize=1600,900&ssl=1)