CVE-2024-10979
published 2024-11-14CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.42%
90.2th percentile
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | postgresql-13 | < postgresql-13 13.17-0+deb11u1 (bullseye) | postgresql-13 13.17-0+deb11u1 (bullseye) |
| debian | postgresql-15 | < postgresql-13 13.17-0+deb11u1 (bullseye) | postgresql-13 13.17-0+deb11u1 (bullseye) |
| debian | postgresql-17 | < postgresql-13 13.17-0+deb11u1 (bullseye) | postgresql-13 13.17-0+deb11u1 (bullseye) |
| msrc | azl3_postgresql_16.4-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_postgresql_16.5-1_on_azure_linux_3.0 | — | — |
| msrc | cbl2_postgresql_14.14-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_postgresql_14.16-1_on_cbl_mariner_2.0 | — | — |
| postgresql | postgresql | < 12.21 | 12.21 |
| postgresql | postgresql | >= 12.0 < 12.21 | 12.21 |
| postgresql | postgresql | >= 13 < 13.17 | 13.17 |
| postgresql | postgresql | >= 13.0 < 13.17 | 13.17 |
| postgresql | postgresql | >= 14 < 14.14 | 14.14 |
| postgresql | postgresql | >= 14.0 < 14.14 | 14.14 |
| postgresql | postgresql | >= 15 < 15.9 | 15.9 |
| postgresql | postgresql | >= 15.0 < 15.9 | 15.9 |
| postgresql | postgresql | >= 16 < 16.5 | 16.5 |
| postgresql | postgresql | >= 16.0 < 16.5 | 16.5 |
| postgresql | postgresql | >= 17 < 17.1 | 17.1 |
| postgresql | postgresql | >= 17.0 < 17.1 | 17.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-10979 is exploitable via PostgreSQL PL/Perl functions that modify process environment variables such as PATH; monitor for unprivileged database users creating or executing PL/Perl functions that alter environment variables ↗
- →Audit user-created PL/Perl (and PL/Python) functions in PostgreSQL for environment variable manipulation; creation of such functions by non-superuser roles is a strong indicator of exploitation attempt ↗
- →Restrict and monitor grants of USAGE/CREATE on PL/Perl and PL/Python languages to detect privilege abuse enabling this vulnerability ↗
- ·Affected versions are PostgreSQL 12.x before 12.21, 13.x before 13.17, 14.x before 14.14, 15.x before 15.9, 16.x before 16.5, and 17.x before 17.1; patched versions are not vulnerable ↗
- ·The vulnerability requires the PL/Perl extension to be installed and accessible to unprivileged users; deployments without PL/Perl are not affected by this specific vector ↗
- ·An attacker does not need an OS-level account on the database server to exploit this vulnerability — only an unprivileged database user account is required ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2025-03-19·CVSS 4.2
CVE-2024-10976 [MEDIUM] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
Wolfgang Walther discovered that PostgreSQL incorrectly tracked tables with
row security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered t
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2024-12-02·CVSS 4.2
CVE-2024-10978 [MEDIUM] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
It was discovered that PostgreSQL incorrectly tracked tables with row
security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered that Postgr
Red Hat
postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code
vendor_redhat·2024-11-14·CVSS 8.8
CVE-2024-10979 [HIGH] CWE-15 postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code
postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
A flaw was found in PostgreSQL PL/Perl. This vulnerability allows an unprivileged database user to change sensitive process environment variables (e.g., PATH) via incorrect control of environment variables.
Statement: This vulnerability has been given a severity rating of important because the ability to modify sensitive process environment
Microsoft
PostgreSQL PL/Perl environment variable changes execute arbitrary code
vendor_msrc·2024-11-12·CVSS 8.8
CVE-2024-10979 [HIGH] CWE-15 PostgreSQL PL/Perl environment variable changes execute arbitrary code
PostgreSQL PL/Perl environment variable changes execute arbitrary code
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
PostgreSQL: PostgreSQL
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Debian
CVE-2024-10979: postgresql-13 - Incorrect control of environment variables in PostgreSQL PL/Perl allows an unpri...
vendor_debian·2024·CVSS 8.8
CVE-2024-10979 [HIGH] CVE-2024-10979: postgresql-13 - Incorrect control of environment variables in PostgreSQL PL/Perl allows an unpri...
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Scope: local
bullseye: resolved (fixed in 13.17-0+deb11u1)
OSV
postgresql-9.5 vulnerabilities
osv·2025-03-19·CVSS 5.4
CVE-2024-10976 [MEDIUM] postgresql-9.5 vulnerabilities
postgresql-9.5 vulnerabilities
Wolfgang Walther discovered that PostgreSQL incorrectly tracked tables with
row security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered that PostgreSQL incorrectly handled environment
variables. A rem
OSV
postgresql-12, postgresql-14, postgresql-16 vulnerabilities
osv·2024-12-02·CVSS 5.4
CVE-2024-10976 [MEDIUM] postgresql-12, postgresql-14, postgresql-16 vulnerabilities
postgresql-12, postgresql-14, postgresql-16 vulnerabilities
It was discovered that PostgreSQL incorrectly tracked tables with row
security. A remote attacker could possibly use this issue to perform
forbidden reads and modifications. (CVE-2024-10976)
Jacob Champion discovered that PostgreSQL clients used untrusted server
error messages. An attacker that is able to intercept network
communications could possibly use this issue to inject error messages that
could be interpreted as valid query results. (CVE-2024-10977)
Tom Lane discovered that PostgreSQL incorrectly handled certain privilege
assignments. A remote attacker could possibly use this issue to view or
change different rows from those intended. (CVE-2024-10978)
Coby Abrams discovered that PostgreSQL incorrectly handled environme
OSV
CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable
osv·2024-11-14·CVSS 8.8
CVE-2024-10979 [HIGH] CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
GHSA
GHSA-2r9h-x757-8j9q: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable
ghsa_unreviewed·2024-11-14
CVE-2024-10979 [HIGH] CWE-15 GHSA-2r9h-x757-8j9q: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
No detection rules found.
No public exploits indexed.
2024-11-14
Published