Updated: 2024-11-30 04:45:47.463853
Description:
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Links | NIST | CIRCL | RHEL | Ubuntu |
Severity | Score | |
---|---|---|
CVSS Version 2.x | NONE | 0 |
CVSS Version 3.x | HIGH | 8.8 |
OS name | Project name | Version | Score | Severity | Status | Errata | Last updated | Statement |
---|---|---|---|---|---|---|---|---|
CentOS 7 ELS | postgresql | 9.2.24 | 8.8 | HIGH | In Testing | 2024-11-27 11:55:17 | ||
Ubuntu 16.04 ELS | postgresql-9.5 | 9.5.25-0 | 8.8 | HIGH | Needs Triage | 2024-11-15 09:43:07 | ||
Ubuntu 18.04 ELS | postgresql-10 | 10.23-0 | 8.8 | HIGH | Needs Triage | 2024-11-15 09:43:14 |