CVE-2024-10979

moderate-risk
Published 2024-11-14

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Do I need to act?

~
6.9% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Postgresql

References (4)

Vendor Advisory https://www.postgresql.org/support/security/CVE-2024-10979/
Exploit https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html
Third Party Advisory https://security.netapp.com/advisory/ntap-20250110-0003/
44
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 9/34 · Low
Exposure 5/34 · Minimal