ALPINE-CVE-2024-7348 — Vulnetix

Try Vulnetix Request Demo

ALPINE-CVE-2024-7348 PUBLISHED CVSS 7.5 HIGH

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

Risk Scores

CVSS v3.1

7.5

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Alpine:v3.18	postgresql15	15.2-r3, 15.2-r0, 15.1-r1
Alpine:v3.19	postgresql16	16.0-r1, 16.0-r0, 0
Alpine:v3.18	postgresql14	9.6.0-r1, 9.6.0-r0, 9.5.4-r0
Alpine:v3.20	postgresql15	15.6-r0, 15.1-r0, 15.1-r1
Alpine:v3.17	postgresql15	15.6-r0, 15.5-r0, 15.3-r0
Alpine:v3.20	postgresql16	16.1-r0, 16.2-r2, 16.3-r0
Alpine:v3.21	postgresql16	16.2-r4, 16.0-r1, 16.0-r2
Alpine:v3.19	postgresql15	0, 0, 15.6-r0
Alpine:v3.22	postgresql16	16.3-r1, 16.3-r0, 16.2-r4
Alpine:v3.17	postgresql14	14.1-r0, 14.0-r6, 13.3-r1

Timeline

Aug 8, 2024 CVE Published
Nov 19, 2025 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2024-7348 advisory

Open in Interactive Console →