Vulnerability Description
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Postgresql | Postgresql | >= 12.0, < 12.21 |
Related Weaknesses (CWE)
References
- https://www.postgresql.org/support/security/CVE-2024-10979/Vendor Advisory
- https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.mdExploitMitigationThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html
- https://security.netapp.com/advisory/ntap-20250110-0003/Third Party Advisory
FAQ
What is CVE-2024-10979?
CVE-2024-10979 is a vulnerability with a CVSS score of 8.8 (HIGH). Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbi...
How severe is CVE-2024-10979?
CVE-2024-10979 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-10979?
Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql.