From upstream: CVE-2024-7348: PostgreSQL relation replacement during pg_dump executes arbitrary SQL CVSS v3.1 Base Score: 8.8 Supported, Vulnerable Versions: 12 - 16. An attacker able to create and drop non-temporary objects could inject SQL code that would be executed by a concurrent pg_dump session with the privileges of the role running pg_dump (which is often a superuser). The attack involves replacing a sequence or similar object with a view or foreign table that will execute malicious code. To prevent this, introduce a new server parameter restrict_nonsystem_relation_kind that can disable expansion of non-builtin views as well as access to foreign tables, and teach pg_dump to set it when available. Note that the attack is prevented only if both pg_dump and the server it is dumping from are new enough to have this fix.
Downgrading this to A1 since the attacker must be "able to create and drop non-temporary objects", which as far as I can tell requires some kind of existing access to the database server.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=d0b7a61aa1bef2572192a9c1be444b1ade4a3aa1 commit d0b7a61aa1bef2572192a9c1be444b1ade4a3aa1 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-09-22 05:47:12 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-09-22 05:47:28 +0000 [ GLSA 202409-02 ] PostgreSQL: Privilege Escalation Bug: https://bugs.gentoo.org/937573 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202409-02.xml | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+)