Updated: 2024-11-30 03:47:51.323991
Description:
Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | 0 | |
CVSS Version 3.x | HIGH | 7.5 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
CentOS 7 ELS | postgresql | 9.2.24 | 7.5 | HIGH | In Progress | 2024-12-04 12:11:22 | ||
Ubuntu 16.04 ELS | postgresql-9.5 | 9.5.25-0 | 7.5 | HIGH | Released | CLSA-2024:1728056209 | 2024-10-04 14:31:28 | |
Ubuntu 18.04 ELS | postgresql-10 | 10.23-0 | 7.5 | HIGH | Released | CLSA-2024:1727453123 | 2024-09-27 12:34:32 |