Fabian Mora

Name of the Vulnerable Software and Affected Versions: PostgreSQL versions prior to 17.1 PostgreSQL versions prior to 16.5 PostgreSQL versions prior to 15.9 PostgreSQL versions prior to 14.14 PostgreSQL versions prior to 13.17 PostgreSQL versions prior to 12.21 Description: The issue is related to incorrect control of environment variables in PostgreSQL PL/Perl, allowing an unprivileged database user to change sensitive process environment variables, such as `PATH`. This can enable arbitrary code execution, even if the attacker lacks a database server operating system user. The vulnerability can be exploited by altering environment variables, potentially leading to code execution or information leaks. Recommendations: Update to version 17.1 or later to resolve the issue. Update to version 16.5 or later to resolve the issue. Update to version 15.9 or later to resolve the issue. Update to version 14.14 or later to resolve the issue. Update to version 13.17 or later to resolve the issue. Update to version 12.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the PL/Perl extension until a patch is available. Limit extensions and use least privilege to minimize the risk of exploitation.