CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-10979: PostgreSQL PL/Perl environment variable changes execute arbitrary code

8.8 CVSS

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Classification

CVE ID: CVE-2024-10979

CVSS Base Severity: HIGH

CVSS Base Score: 8.8

Affected Products

Vendor: n/a

Product: PostgreSQL

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 11.47% (scored less or equal to compared to others)

EPSS Date: 2025-02-08 (when was this score calculated)

References

https://www.postgresql.org/support/security/CVE-2024-10979/

Timeline

2025-01-11 00:30:18 UTC
CVE

PostgreSQL PL/Perl environment variable changes execute arbitrary code
2025-02-26 10:46:32 UTC
Tenable Plugins

Amazon Linux 2 : postgresql (ALAS-2025-2764)