FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-10979

External Control of System or Configuration Setting (CWE-15)

Published: Nov 14, 2024 / Updated: 5d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). This vulnerability often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. The vulnerability affects versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.

Impact

This vulnerability has a high severity with a CVSS base score of 8.8. It allows unprivileged database users to potentially execute arbitrary code on the database server. The attack vector is network-based, requires low attack complexity, and needs only low privileges to exploit. There is no user interaction required. The impact on confidentiality, integrity, and availability is high. This could lead to unauthorized access to sensitive data, manipulation of database contents, or disruption of database services.

Exploitation

There is no evidence that a public proof-of-concept exists. Its exploitation has been reported by various sources, including talkback.sh.

Patch

Patches are available. Users should upgrade to PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21 or later, depending on their current major version, to mitigate the vulnerability.

Mitigation

1. Update PostgreSQL to the latest patched versions: 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21, depending on your current major version. 2. If immediate patching is not possible, consider restricting network access to the PostgreSQL server. 3. Review and limit the privileges of database users, especially their ability to interact with PL/Perl functions. 4. Monitor for any suspicious activities or unauthorized changes to environment variables, particularly PATH. 5. Implement the principle of least privilege for database users and roles. 6. Regularly audit PL/Perl functions and their usage within the database.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-10979. See article

Nov 11, 2024 at 5:26 PM / git.postgresql.org Git - postgresql.git/rss log
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 11, 2024 at 5:26 PM
CVE Assignment

NVD published the first details for CVE-2024-10979

Nov 14, 2024 at 1:15 PM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 14, 2024 at 1:21 PM / nvd
Threat Intelligence Report

CVE-2024-10979 is a critical vulnerability in the PostgreSQL PL/Perl environment that allows for the execution of arbitrary code through environment variable changes. The details regarding its exploitation in the wild, proof-of-concept exploits, mitigations, detections, patches, or downstream impacts on third-party vendors are not provided in the available information. Further investigation is necessary to assess the full scope and implications of this vulnerability. See article

Nov 14, 2024 at 3:24 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10.2%)

Nov 15, 2024 at 10:20 AM
Exploitation in the Wild

Attacks in the wild have been reported by Talkback Tech. See article

Nov 15, 2024 at 3:53 PM / Talkback Tech
Trending

This CVE started to trend in security discussions

Nov 15, 2024 at 11:21 PM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (6016842)

Nov 16, 2024 at 6:15 AM
Static CVE Timeline Graph

Affected Systems

Postgresql/postgresql
+null more

Patches

bugzilla.redhat.com
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-13: Subverting Environment Variable Values
+null more

Vendor Advisory

CVE-2024-10979
Red Hat CVE Database / 1d
Red Hat Enterprise Linux 7 - postgresql - Affected Red Hat Enterprise Linux 8 - postgresql:12/postgresql - Affected

References

Last Week in Security - 2024-11-18
SIXGEN / 19h
The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices.
PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 released
Linux Compatible / 5d
Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies.

News

Last Week in Security - 2024-11-18
SIXGEN / 19h
The honeypot attracted attackers using tools like FFUF and Masscan, highlighting the importance of strong access controls and prompt application of security patches to mitigate cyber risks. The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking - Team82 conducted research on the security of the OvrC cloud platform, revealing 10 vulnerabilities that allowed attackers to execute code on OvrC cloud-connected devices.
Delay in Postgres minor versions for Aurora?
r/aws / 1d
PostgreSQL 12.21 was released ~5 days ago which addresses an 8.8 CVE: https://www.postgresql.org/support/security/CVE-2024-10979/ Postgres RDS has this version: https://docs.aws.amazon.com/AmazonRDS/latest/PostgreSQLReleaseNotes/postgresql-versions.html#postgresql-versions-version1221 But version 12.21 Aurora doesn't have this version: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraPostgreSQLReleaseNotes/AuroraPostgreSQL.Updates.html#aurorapostgresql-versions-version12 Is there normally a delay in patches for Aurora over Postgres on RDS? submitted by /u/nowsplashattack [link] [comments]
Debian dsa-5812 : libecpg-compat3 - security update
Newest Nessus Plugins from Tenable / 1d
The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5812 advisory. Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation.
Security updates: PostgreSQL vulnerable to malware attacks | heise online
Google 快訊 - Security Vulnerability / 1d
The developers would like to point out that support for PostgreSQL 12 has expired and that this version will now receive security updates for the last time. The developers have closed four software vulnerabilities in current PostgreSQl versions.
Debian Security Advisory 5812-1
Advisory Files ≈ Packet Storm / 1d
Debian Linux Security Advisory 5812-1 - Multiple security issues were discovered in PostgreSQL, which may result in the execution of arbitrary code, privilege escalation or log manipulation.
See 63 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

CVSS 8.8(18246)CWE-15(18)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial