CVE-2024-10979

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2024-10979

CGA ID

CGA-283r-j3hm-p82p

Severity

8.8

High

CVSS V3

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

References

https://images.chainguard.dev/security/CGA-283r-j3hm-p82p
https://github.com/advisories/GHSA-2r9h-x757-8j9q
https://www.postgresql.org/support/security/CVE-2024-10979/
https://security.netapp.com/advisory/ntap-20250110-0003/
https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
https://security.alpinelinux.org/vuln/CVE-2024-10979
https://security-tracker.debian.org/tracker/CVE-2024-10979

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

CVE-2024-10979

Severity

Description

References

Affected packages

Product

Why Chainguard

Customers

Company

Resources