CVE-2024-10979

Updated: 2024-11-30 04:45:47.463853

Description:

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.


Links NIST CIRCL RHEL Ubuntu

Severity

Severity Score
CVSS Version 2.x NONE 0
CVSS Version 3.x HIGH 8.8

Status

OS name Project name Version Score Severity Status Errata Last updated

Statement

CentOS 7 ELS postgresql 9.2.24 8.8 HIGH In Testing 2024-11-27 11:55:17
Ubuntu 16.04 ELS postgresql-9.5 9.5.25-0 8.8 HIGH Needs Triage 2024-11-15 09:43:07
Ubuntu 18.04 ELS postgresql-10 10.23-0 8.8 HIGH Needs Triage 2024-11-15 09:43:14