Unprivileged User Can Execute Arbitrary Code via Environment Variables
CVE-2024-10979

8.8HIGH

Key Information:

Vendor
PostgreSQL
Status
Postgresql
Vendor
CVE Published:
14 November 2024

Badges

๐Ÿ“ˆ Score: 223๐Ÿ‘พ Exploit Exists๐Ÿ“ฐ News Worthy

Summary

The PostgreSQL open-source database system has a high-severity security flaw (CVE-2024-10979) that allows unprivileged users to alter environment variables, potentially leading to code execution or information disclosure. This vulnerability could enable an attacker to execute arbitrary code by modifying environment variables such as PATH, or extract valuable information by running malicious queries. Exploitation has not been reported, and the issue has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to update their systems to prevent potential code execution and data breaches.

Affected Version(s)

PostgreSQL 17 < 17.1

PostgreSQL 16 < 16.5

PostgreSQL 15 < 15.9

News Articles

favicon imageHackread

8.8 Rated PostgreSQL Vulnerability Puts Databases at Risk

Cybersecurity researchers have identified a serious security flaw in PostgreSQL that could lead to data breaches and system compromise.

favicon imageThe Hacker News

High-Severity Flaw in PostgreSQL Allows Hackers to Exploit Environment Variables

Critical PostgreSQL flaw (CVE-2024-10979) patched; update now to prevent code execution and data breaches.

References

https://www.postgresql.org/support/security/CVE-2024-10979/

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿ“ฐ

    First article discovered by The Hacker News

  • Vulnerability published

Credit

The PostgreSQL project thanks Coby Abrams for reporting this problem.
.