Summary
PostgreSQL Global Development Group has released security updates to address a “high” severity vulnerability in pg_dump, a command-line utility used to create logical backups of a PostgreSQL database.
This vulnerability could be exploited by a malicious user to elevate their privileges and execute arbitrary code on the affected instances.
Risk
Community Impact Estimate: HIGH/ORANGE (65.12/100)1.
Type
- Privilege Escalation
- Remote Code Execution
Affected products and versions
PostgreSQL,
- 16.x, versions prior to 16.4
- 15.x, versions prior to 15.8
- 14.x, versions prior to 14.13
- 13.x, versions prior to 13.16
- 12.x, versions prior to 12.20
Mitigation actions
In line with the vendor’s statements, it is recommended to apply the available mitigations following the indications reported in the security bulletin in the References section.
It is highlighted that for all versions of PostgreSQL 12.x, starting from November 14, 2024, the vendor will not release any further workarounds and/or patches considering the end of support (EOL) date.
Unique Vulnerability Identifiers
CVE-2024-7348
References
https://www.postgresql.org/about/news/postgresql-164-158-1413-1316-1220-and-17-beta-3-released-2910
1This estimate is made taking into account several parameters, including: CVSS, availability of patches/workarounds and PoC, diffusion of the affected software/devices in the reference community.
