CVE-2024-10979

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

How to fix CVE-2024-10979

To remediate CVE-2024-10979, upgrade the affected package to a fixed version below.

• —upgrade to 14.14-r0 or later
• —upgrade to 15.9-r0 or later
• —upgrade to 16.5-r0 or later
• —upgrade to 17.1-r0 or later
• —upgrade to 13.17.0 or later
• —upgrade to 13.17-0+deb11u1 or later
• —upgrade to 15.9-0+deb12u1 or later
• —upgrade to 17.1-1 or later

Is CVE-2024-10979 being exploited?

Moderate — EPSS is 6.4%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (8)

• from 0, < 14.14-r0
• from 0, < 15.9-r0
• from 0, < 16.5-r0
• from 0, < 17.1-r0
• from 0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• from 0, < 13.17-0+deb11u1
• from 0, < 15.9-0+deb12u1
• from 0, < 17.1-1

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-10979
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-10979
• WEBgithub.com/fmora50591/postgresql-env-vuln/blob/main/README.md
• WEBlists.debian.org/debian-lts-announce/2024/11/msg00011.html