Detections
Analytics
PostgreSQL 12.x < 12.20 / 13.x < 13.16 / 14.x < 14.13 / 15.x < 15.8 / 16.x 16.4 SQL Injection<
high Nessus Plugin ID 205594
Language:
Synopsis
The remote database server is affected by an SQL injection vulnerabilityDescription
The version of PostgreSQL installed on the remote host is 12 prior to 12.20, 13 prior to 13.16, 14 prior to 14.13, 15 prior to 15.8, or 16 prior to 16.4. As such, it is potentially affected by a vulnerability :- Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction.
Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected. (CVE-2024-7348)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to PostgreSQL 12.20 / 13.16 / 14.13 / 15.8 / 16.4 or laterSee Also
Plugin Details
Severity: High
ID: 205594
File Name: postgresql_20240808.nasl
Version: 1.3
Type: local
Family: Databases
Published: 8/15/2024
Updated: 8/16/2024
Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: High
Base Score: 7.1
Temporal Score: 5.3
Vector: CVSS2#AV:N/AC:H/Au:S/C:C/I:C/A:C
CVSS Score Source: CVE-2024-7348
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:postgresql:postgresql
Exploit Ease: No known exploits are available
Patch Publication Date: 8/8/2024
Vulnerability Publication Date: 8/8/2024
Reference Information
CVE: CVE-2024-7348
IAVB: 2024-B-0117