Security Advisory Pulse/CVE-2024-1597
CVE-2024-1597

PostgreSQL SQL Injection in pg_dump Utility

🏭 PostgreSQL Global Development GroupCWE-89#SQL Injection#Database#Linux#Authenticated
9.0Critical
010.0

Vulnerability Description

A critical SQL injection vulnerability in the PostgreSQL pg_dump utility allows authenticated attackers to execute arbitrary SQL commands with elevated database privileges during the backup process. This can lead to full database compromise.

Recommended Mitigation

Upgrade PostgreSQL to 16.2, 15.6, 14.11, 13.14, or 12.18. Restrict pg_dump access to trusted administrators.

Affected Products

PostgreSQL 12
PostgreSQL 13
PostgreSQL 14
PostgreSQL 15
PostgreSQL 16

Version constraint: All versions before 16.2, 15.6, 14.11, 13.14, 12.18

Official References

https://www.postgresql.org/about/news/postgresql-162-156-1411-1314-1218-and-1123-released-2804/https://nvd.nist.gov/vuln/detail/CVE-2024-1597

Quick Facts

Published
2024-02-08
Last Modified
2024-02-12
Vendor
PostgreSQL Global Development Group
CWE
CWE-89
Exploit
✅ No Known Exploit

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

View on NVD← Back to Advisory Feed