CVE-2024-10979

Updated: 2025-02-12 02:01:14.928723

Description:

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x 0
CVSS Version 3.x HIGH 8.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement
AlmaLinux 9.2 ESU postgresql 13.11 8.8 HIGH Released CLSA-2025:1743011981 2025-03-28 03:20:11
CentOS 7 ELS postgresql 9.2.24 8.8 HIGH Released CLSA-2024:1734372021 2024-12-25 23:22:45
Ubuntu 16.04 ELS postgresql-9.5 9.5.25-0 8.8 HIGH Released CLSA-2025:1747849358 2025-05-22 01:57:32
Ubuntu 18.04 ELS postgresql-10 10.23-0 8.8 HIGH Needs Triage 2025-05-09 04:28:24