{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-7348", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "state": "PUBLISHED", "assignerShortName": "PostgreSQL", "dateReserved": "2024-07-31T18:33:23.341Z", "datePublished": "2024-08-08T13:00:02.130Z", "dateUpdated": "2024-08-22T18:03:18.699Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2024-08-08T13:00:02.130Z"}, "title": "PostgreSQL relation replacement during pg_dump executes arbitrary SQL", "descriptions": [{"lang": "en", "value": "Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected."}], "affected": [{"defaultStatus": "unaffected", "product": "PostgreSQL", "vendor": "n/a", "versions": [{"lessThan": "16.4", "status": "affected", "version": "16", "versionType": "rpm"}, {"lessThan": "15.8", "status": "affected", "version": "15", "versionType": "rpm"}, {"lessThan": "14.13", "status": "affected", "version": "14", "versionType": "rpm"}, {"lessThan": "13.16", "status": "affected", "version": "13", "versionType": "rpm"}, {"lessThan": "12.20", "status": "affected", "version": "0", "versionType": "rpm"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-367", "type": "CWE", "description": "Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-7348/"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "configurations": [{"lang": "en", "value": "attacker has permission to create non-temporary objects in at least one schema"}], "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Noah Misch for reporting this problem."}]}, "adp": [{"affected": [{"vendor": "postgresql", "product": "postgresql", "cpes": ["cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"], "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "12.20", "versionType": "custom"}, {"version": "13", "status": "affected", "lessThan": "13.16", "versionType": "custom"}, {"version": "14", "status": "affected", "lessThan": "14.13", "versionType": "custom"}, {"version": "15", "status": "affected", "lessThan": "15.8", "versionType": "custom"}, {"version": "16", "status": "affected", "lessThan": "16.4", "versionType": "custom"}]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-08-15T00:00:00+00:00", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3", "id": "CVE-2024-7348"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-16T04:01:38.124Z"}}, {"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/11/1"}, {"url": "https://security.netapp.com/advisory/ntap-20240822-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-22T18:03:18.699Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2024/08/11/1"}, {"url": "https://security.netapp.com/advisory/ntap-20240822-0002/"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-22T18:03:18.699Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-7348", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-08-09T18:15:41.354960Z"}}}], "affected": [{"cpes": ["cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"], "vendor": "postgresql", "product": "postgresql", "versions": [{"status": "affected", "version": "0", "lessThan": "12.20", "versionType": "custom"}, {"status": "affected", "version": "13", "lessThan": "13.16", "versionType": "custom"}, {"status": "affected", "version": "14", "lessThan": "14.13", "versionType": "custom"}, {"status": "affected", "version": "15", "lessThan": "15.8", "versionType": "custom"}, {"status": "affected", "version": "16", "lessThan": "16.4", "versionType": "custom"}], "defaultStatus": "unknown"}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-08-09T18:19:26.753Z"}}], "cna": {"title": "PostgreSQL relation replacement during pg_dump executes arbitrary SQL", "credits": [{"lang": "en", "value": "The PostgreSQL project thanks Noah Misch for reporting this problem."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "n/a", "product": "PostgreSQL", "versions": [{"status": "affected", "version": "16", "lessThan": "16.4", "versionType": "rpm"}, {"status": "affected", "version": "15", "lessThan": "15.8", "versionType": "rpm"}, {"status": "affected", "version": "14", "lessThan": "14.13", "versionType": "rpm"}, {"status": "affected", "version": "13", "lessThan": "13.16", "versionType": "rpm"}, {"status": "affected", "version": "0", "lessThan": "12.20", "versionType": "rpm"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.postgresql.org/support/security/CVE-2024-7348/"}], "descriptions": [{"lang": "en", "value": "Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-367", "description": "Time-of-check Time-of-use (TOCTOU) Race Condition"}]}], "configurations": [{"lang": "en", "value": "attacker has permission to create non-temporary objects in at least one schema"}], "providerMetadata": {"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "shortName": "PostgreSQL", "dateUpdated": "2024-08-08T13:00:02.130Z"}}}, "cveMetadata": {"cveId": "CVE-2024-7348", "state": "PUBLISHED", "dateUpdated": "2024-08-22T18:03:18.699Z", "dateReserved": "2024-07-31T18:33:23.341Z", "assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "datePublished": "2024-08-08T13:00:02.130Z", "assignerShortName": "PostgreSQL"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "1406C6A7-1C35-4474-ACDB-BA846C24F21B", "versionEndExcluding": "12.20", "versionStartIncluding": "12.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "8FADD5D0-8034-4379-8C8F-2EB545AF97A9", "versionEndExcluding": "13.16", "versionStartIncluding": "13.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "5BC17304-2D09-4162-9010-02C4ED82B9EA", "versionEndExcluding": "14.13", "versionStartIncluding": "14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "7A8C15B7-5796-44FA-8A83-01DAF7B226ED", "versionEndExcluding": "15.8", "versionStartIncluding": "15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "7DDD83C9-C0AF-464E-A367-481E5556B970", "versionEndExcluding": "16.4", "versionStartIncluding": "16.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected."}, {"lang": "es", "value": "La condici\u00f3n de ejecuci\u00f3n de tiempo de verificaci\u00f3n de tiempo de uso (TOCTOU) en pg_dump en PostgreSQL permite a un creador de objetos ejecutar funciones SQL arbitrarias como el usuario que ejecuta pg_dump, que a menudo es un superusuario. El ataque implica reemplazar otro tipo de relaci\u00f3n con una vista o tabla externa. El ataque requiere esperar a que se inicie pg_dump, pero ganar la condici\u00f3n de ejecuci\u00f3n es trivial si el atacante retiene una transacci\u00f3n abierta. Las versiones anteriores a PostgreSQL 16.4, 15.8, 14.13, 13.16 y 12.20 se ven afectadas."}], "id": "CVE-2024-7348", "lastModified": "2024-11-21T09:51:20.720", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-08-08T13:15:14.007", "references": [{"source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "tags": ["Vendor Advisory"], "url": "https://www.postgresql.org/support/security/CVE-2024-7348/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2024/08/11/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20240822-0002/"}], "sourceIdentifier": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-367"}], "source": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-367"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8495", "cpe": "cpe:/o:redhat:rhel_els:7", "package": "postgresql-0:9.2.24-9.el7_9.1", "product_name": "Red Hat Enterprise Linux 7 Extended Lifecycle Support", "release_date": "2024-10-28T00:00:00Z"}, {"advisory": "RHSA-2024:5927", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:16-8100020240814094432.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-28T00:00:00Z"}, {"advisory": "RHSA-2024:6000", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:12-8100020240814102525.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6001", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:15-8100020240814101911.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6018", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "postgresql:13-8100020240814102212.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6138", "cpe": "cpe:/a:redhat:rhel_aus:8.2", "package": "postgresql:12-8020020240828083606.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Advanced Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6139", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "postgresql:12-8040020240827125019.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6557", "cpe": "cpe:/a:redhat:rhel_aus:8.4", "package": "postgresql:13-8040020240830114010.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6139", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "postgresql:12-8040020240827125019.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6557", "cpe": "cpe:/a:redhat:rhel_tus:8.4", "package": "postgresql:13-8040020240830114010.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Telecommunications Update Service", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6139", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "postgresql:12-8040020240827125019.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6557", "cpe": "cpe:/a:redhat:rhel_e4s:8.4", "package": "postgresql:13-8040020240830114010.522a0ee4", "product_name": "Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6558", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "postgresql:13-8060020240903094008.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6559", "cpe": "cpe:/a:redhat:rhel_aus:8.6", "package": "postgresql:12-8060020240903093929.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6558", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "postgresql:13-8060020240903094008.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6559", "cpe": "cpe:/a:redhat:rhel_tus:8.6", "package": "postgresql:12-8060020240903093929.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Telecommunications Update Service", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6558", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "postgresql:13-8060020240903094008.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6559", "cpe": "cpe:/a:redhat:rhel_e4s:8.6", "package": "postgresql:12-8060020240903093929.ad008a3a", "product_name": "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions", "release_date": "2024-09-10T00:00:00Z"}, {"advisory": "RHSA-2024:6137", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:12-8080020240828084611.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6141", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:13-8080020240830064706.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6142", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "postgresql:15-8080020240826125709.63b34585", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:5929", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql:16-9040020240812093225.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-28T00:00:00Z"}, {"advisory": "RHSA-2024:5999", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql-0:13.16-1.el9_4", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6020", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "postgresql:15-9040020240812115436.rhel9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-08-29T00:00:00Z"}, {"advisory": "RHSA-2024:6144", "cpe": "cpe:/a:redhat:rhel_e4s:9.0", "package": "postgresql-0:13.16-1.el9_0", "product_name": "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6140", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "postgresql:15-9020020240827093843.rhel9", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}, {"advisory": "RHSA-2024:6145", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "postgresql-0:13.16-1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-09-03T00:00:00Z"}], "bugzilla": {"description": "postgresql: PostgreSQL relation replacement during pg_dump executes arbitrary SQL", "id": "2303682", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2303682"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-367", "details": ["Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.", "A vulnerability was found in PostgreSQL. A Race condition in pg_dump allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-7348", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}], "public_date": "2024-08-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-7348\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-7348\nhttps://www.postgresql.org/support/security/CVE-2024-7348/"], "statement": "Satellite PostgreSQL is pulled through a base layered OS product and/or appstream repository and it is not shipped through this offering.\nThis TOCTOU race condition in pg_dump is a important severity issue because it enables a non-privileged database user to escalate their privileges and execute arbitrary SQL functions as the superuser, compromising the entire database system. The exploitation of this vulnerability is particularly dangerous due to the inherent privilege level associated with the pg_dump process, which typically operates with elevated rights to ensure comprehensive backups. The ease of exploitation\u2014due to the trivial nature of winning the race condition by holding an open transaction\u2014further amplifies the risk, making it a significant threat in environments running affected PostgreSQL versions.", "threat_severity": "Important"}