PostgreSQL PL/Perl Environment Variable Control Vulnerability
CVE-2024-10979 Published on November 14, 2024
PostgreSQL PL/Perl environment variable changes execute arbitrary code
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Weakness Type
External Control of System or Configuration Setting
One or more system settings or configuration elements can be externally controlled by a user. Allowing external control of system settings can disrupt service or cause an application to behave in unexpected, and potentially malicious ways.
Products Associated with CVE-2024-10979
You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-10979 are published in these products:
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.