PostgreSQL has released corrective updates for all supported branches, including versions 16.4, 15.8, 14.13, 13.16, and 12.20. These updates address a total of 56 identified errors that have been reported over the past three months.
One of the critical fixes in the latest versions is related to a vulnerability marked as dangerous (hazard level 8.8 out of 10), identified as cve-2024-7348. This vulnerability is a result of a race condition in the PG_DUMP utility, which could potentially allow an attacker to execute arbitrary SQL code using the permissions of the user under which PG_DUMP is launched. In most cases, PG_DUMP is launched with superuser rights for backup copies of the database management system.
An attack exploiting this vulnerability would require the attacker to track the moment of PG_DUMP utility launch, which can be achieved through manipulations with an open transaction. The attack essentially involves replacing the sequence of actions in order to exploit the vulnerability.