CVE-2024-10979

Public on 2024-11-14

Modified on 2024-11-19

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Severity

Important

CVSS v3 Base Score

8.8

See breakdown

Affected Packages

Platform	Package	Status
Amazon Linux 2 - Core	postgresql	Pending Fix
Amazon Linux 2 - Postgresql13 Extra	postgresql	Pending Fix
Amazon Linux 2 - Postgresql14 Extra	postgresql	Pending Fix
Amazon Linux 2023	postgresql15	Pending Fix
Amazon Linux 2023	postgresql16	Pending Fix
Amazon Linux 1	postgresql8	No Fix Planned
Amazon Linux 1	postgresql92	No Fix Planned
Amazon Linux 1	postgresql93	No Fix Planned
Amazon Linux 1	postgresql94	No Fix Planned
Amazon Linux 1	postgresql95	No Fix Planned
Amazon Linux 1	postgresql96	No Fix Planned

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
NVD	CVSSv3	8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2024-10979 Mitre: CVE-2024-10979