Source: tofino via Alamy Stock Photo
Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.
The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited.
Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.
The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.
Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, "to the latest minor version at a minimum," according to the researchers, as well as restricting allowed extensions.
Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.