cbcvebase.
CVE-2024-10979
published 2024-11-14

CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g…

PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.42%
90.2th percentile
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Affected

19 ranges
VendorProductVersion rangeFixed in
debianpostgresql-13< postgresql-13 13.17-0+deb11u1 (bullseye)postgresql-13 13.17-0+deb11u1 (bullseye)
debianpostgresql-15< postgresql-13 13.17-0+deb11u1 (bullseye)postgresql-13 13.17-0+deb11u1 (bullseye)
debianpostgresql-17< postgresql-13 13.17-0+deb11u1 (bullseye)postgresql-13 13.17-0+deb11u1 (bullseye)
msrcazl3_postgresql_16.4-2_on_azure_linux_3.0
msrcazl3_postgresql_16.5-1_on_azure_linux_3.0
msrccbl2_postgresql_14.14-1_on_cbl_mariner_2.0
msrccbl2_postgresql_14.16-1_on_cbl_mariner_2.0
postgresqlpostgresql< 12.2112.21
postgresqlpostgresql>= 12.0 < 12.2112.21
postgresqlpostgresql>= 13 < 13.1713.17
postgresqlpostgresql>= 13.0 < 13.1713.17
postgresqlpostgresql>= 14 < 14.1414.14
postgresqlpostgresql>= 14.0 < 14.1414.14
postgresqlpostgresql>= 15 < 15.915.9
postgresqlpostgresql>= 15.0 < 15.915.9
postgresqlpostgresql>= 16 < 16.516.5
postgresqlpostgresql>= 16.0 < 16.516.5
postgresqlpostgresql>= 17 < 17.117.1
postgresqlpostgresql>= 17.0 < 17.117.1

Detection & IOCsextracted from sources · hover to see the quote

  • CVE-2024-10979 is exploitable via PostgreSQL PL/Perl functions that modify process environment variables such as PATH; monitor for unprivileged database users creating or executing PL/Perl functions that alter environment variables
  • Audit user-created PL/Perl (and PL/Python) functions in PostgreSQL for environment variable manipulation; creation of such functions by non-superuser roles is a strong indicator of exploitation attempt
  • Restrict and monitor grants of USAGE/CREATE on PL/Perl and PL/Python languages to detect privilege abuse enabling this vulnerability
  • ·Affected versions are PostgreSQL 12.x before 12.21, 13.x before 13.17, 14.x before 14.14, 15.x before 15.9, 16.x before 16.5, and 17.x before 17.1; patched versions are not vulnerable
  • ·The vulnerability requires the PL/Perl extension to be installed and accessible to unprivileged users; deployments without PL/Perl are not affected by this specific vector
  • ·An attacker does not need an OS-level account on the database server to exploit this vulnerability — only an unprivileged database user account is required

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu4.2MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.