CVE-2024-10979 — External Control of System or Configuration Setting in Postgresql

CWE-15 — External Control of System or Configuration Setting CWE-610 — Externally Controlled Reference to a Resource in Another Sphere11 documents8 sources

Severity

8.8HIGHNVD

OSV5.4

EPSS

6.9%

top 8.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Postgresql-13 Debian Postgresql-15 +5 more

Timeline

PublishedNov 14

Latest updateMar 19

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages9 packages

▶debiandebian/postgresql-13< postgresql-13 13.17-0+deb11u1 (bullseye)

▶debiandebian/postgresql-15< postgresql-13 13.17-0+deb11u1 (bullseye)

▶debiandebian/postgresql-17< postgresql-13 13.17-0+deb11u1 (bullseye)

▶CVEListV5postgresql/postgresql17 — 17.1+5

▶NVDpostgresql/postgresql12.0 — 12.21+5

🔴Vulnerability Details

OSV

postgresql-9.5 vulnerabilities↗2025-03-19

▶

OSV

postgresql-12, postgresql-14, postgresql-16 vulnerabilities↗2024-12-02

▶

OSV

CVE-2024-10979: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable↗2024-11-14

▶

GHSA

GHSA-2r9h-x757-8j9q: Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variable↗2024-11-14

▶

CVEList

PostgreSQL PL/Perl environment variable changes execute arbitrary code↗2024-11-14

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2025-03-19

▶

Ubuntu

PostgreSQL vulnerabilities↗2024-12-02

▶

Red Hat

postgresql: PostgreSQL PL/Perl environment variable changes execute arbitrary code↗2024-11-14

▶

Microsoft

PostgreSQL PL/Perl environment variable changes execute arbitrary code↗2024-11-12

▶

Debian

CVE-2024-10979: postgresql-13 - Incorrect control of environment variables in PostgreSQL PL/Perl allows an unpri...↗2024

▶