PT-2024-8138 · Postgresql+11 · Postgresql+11

Fabian Mora

+1

·

Published

2024-11-14

·

Updated

2026-04-03

·

CVE-2024-10979

CVSS v2.0

9.0

High

VectorAV:N/AC:L/Au:S/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions: PostgreSQL versions prior to 17.1 PostgreSQL versions prior to 16.5 PostgreSQL versions prior to 15.9 PostgreSQL versions prior to 14.14 PostgreSQL versions prior to 13.17 PostgreSQL versions prior to 12.21
Description: The issue is related to incorrect control of environment variables in PostgreSQL PL/Perl, allowing an unprivileged database user to change sensitive process environment variables, such as PATH. This can enable arbitrary code execution, even if the attacker lacks a database server operating system user. The vulnerability can be exploited by altering environment variables, potentially leading to code execution or information leaks.
Recommendations: Update to version 17.1 or later to resolve the issue. Update to version 16.5 or later to resolve the issue. Update to version 15.9 or later to resolve the issue. Update to version 14.14 or later to resolve the issue. Update to version 13.17 or later to resolve the issue. Update to version 12.21 or later to resolve the issue. As a temporary workaround, consider restricting access to the PL/Perl extension until a patch is available. Limit extensions and use least privilege to minimize the risk of exploitation.

Exploit

Fix

RCE

Weakness Enumeration

CWE-610CWE-264CWE-15

Related Identifiers

ALSA-2024:10785
ALSA-2024:10787
ALSA-2024:10788
ALSA-2024:10791
ALSA-2024:10830
ALSA-2024:10831
ALSA-2024:10832
ALT-PU-2024-15897
ALT-PU-2024-15899
ALT-PU-2024-15900
ALT-PU-2024-15901
ALT-PU-2024-15902
ALT-PU-2024-15905
ALT-PU-2024-15907
ALT-PU-2024-16008
ALT-PU-2024-16010
ALT-PU-2024-16011
ALT-PU-2024-16012
ALT-PU-2024-16013
ALT-PU-2024-16159
ALT-PU-2024-16161
ALT-PU-2024-16162
ALT-PU-2024-16163
ALT-PU-2024-16164
ALT-PU-2024-16165
ALT-PU-2024-16336
ALT-PU-2024-16338
ALT-PU-2024-17039
ALT-PU-2024-17041
ALT-PU-2024-17042
ALT-PU-2024-17043
ALT-PU-2024-17044
AZL-53198
AZL-53212
BDU:2024-09679
BIT-POSTGRESQL-2024-10979
CESA-2024_10785
CESA-2024_10830
CESA-2024_10831
CESA-2024_10832
CLEANSTART-2026-KA40024
CLEANSTART-2026-ZC18474
CVE-2024-10979
DLA-3954-1
DSA-5812-1
DSA-5812-2
ECHO-A285-F305-CA67
INFSA-2024_10785
INFSA-2024_10787
INFSA-2024_10788
INFSA-2024_10791
INFSA-2024_10830
INFSA-2024_10831
INFSA-2024_10832
JLSEC-2026-50
MGASA-2024-0372
OESA-2024-2427
OESA-2024-2428
OESA-2024-2429
OESA-2024-2430
OESA-2024-2466
OESA-2024-2467
OESA-2024-2468
OESA-2024-2469
OESA-2025-1335
OPENSUSE-SU-2024:14501-1
OPENSUSE-SU-2024:14502-1
OPENSUSE-SU-2024:14503-1
OPENSUSE-SU-2024:14504-1
OPENSUSE-SU-2024:14505-1
OPENSUSE-SU-2024:14506-1
OPENSUSE-SU-2024_4063-1
OPENSUSE-SU-2024_4098-1
OPENSUSE-SU-2024_4099-1
OPENSUSE-SU-2024_4118-1
OPENSUSE-SU-2024_4173-1
OPENSUSE-SU-2024_4174-1
OPENSUSE-SU-2024_4175-1
OPENSUSE-SU-2024_4176-1
RHSA-2024:10593
RHSA-2024:10595
RHSA-2024:10677
RHSA-2024:10705
RHSA-2024:10736
RHSA-2024:10739
RHSA-2024:10750
RHSA-2024:10785
RHSA-2024:10787
RHSA-2024:10788
RHSA-2024:10789
RHSA-2024:10791
RHSA-2024:10800
RHSA-2024:10807
RHSA-2024:10827
RHSA-2024:10830
RHSA-2024:10831
RHSA-2024:10832
RHSA-2024:10846
RHSA-2024:10851
RHSA-2024:10879
RHSA-2024:10882
RHSA-2024_10785
RHSA-2024_10787
RHSA-2024_10788
RHSA-2024_10791
RHSA-2024_10830
RHSA-2024_10831
RHSA-2024_10832
RLSA-2024:10785
RLSA-2024:10787
RLSA-2024:10788
RLSA-2024:10830
RLSA-2024:10831
RLSA-2024:10832
ROSA-SA-2025-2787
ROSA-SA-2025-2788
SUSE-SU-2024:4052-1
SUSE-SU-2024:4063-1
SUSE-SU-2024:4095-1
SUSE-SU-2024:4096-1
SUSE-SU-2024:4097-1
SUSE-SU-2024:4098-1
SUSE-SU-2024:4099-1
SUSE-SU-2024:4114-1
SUSE-SU-2024:4118-1
SUSE-SU-2024:4173-1
SUSE-SU-2024:4174-1
SUSE-SU-2024:4175-1
SUSE-SU-2024:4176-1
SUSE-SU-2025:01799-1
SUSE-SU-2025_01799-1
USN-7132-1
USN-7358-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Postgresql
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu
Zvirt Node