CVE-2024-10979 - Vulnerability Details

- PostgreSQL PL/Perl environment variable changes execute arbitrary code

Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Published: 2024-11-14

Score: 8.8 High

EPSS: 6.9% Low

KEV: No

Impact:

Action:

Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

PostgreSQL

unaffected

Version	Status	Constraints
`17`	affected	< 17.1
`16`	affected	< 16.5
`15`	affected	< 15.9
`14`	affected	< 14.14
`13`	affected	< 13.17
`0`	affected	< 12.21

Configuration 1 [-]

OR	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::
	cpe:2.3:a:postgresql:postgresql::::::::

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
postgresql-0:9.2.24-9.el7_9.2	cpe:/o:redhat:rhel_els:7	RHSA-2024:10882	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8
postgresql:12-8100020241122084405.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10785	2024-12-04T00:00:00Z
postgresql:15-8100020241122084744.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10830	2024-12-05T00:00:00Z
postgresql:16-8100020241122085009.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10831	2024-12-05T00:00:00Z
postgresql:13-8100020241122084628.489197e6	cpe:/a:redhat:enterprise_linux:8	RHSA-2024:10832	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
postgresql:12-8020020241126122642.4cda2c84	cpe:/a:redhat:rhel_aus:8.2	RHSA-2024:10739	2024-12-03T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
postgresql:12-8040020241129070850.522a0ee4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:10789	2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4	cpe:/a:redhat:rhel_aus:8.4	RHSA-2024:10846	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
postgresql:12-8040020241129070850.522a0ee4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:10789	2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4	cpe:/a:redhat:rhel_tus:8.4	RHSA-2024:10846	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
postgresql:12-8040020241129070850.522a0ee4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:10789	2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4	cpe:/a:redhat:rhel_e4s:8.4	RHSA-2024:10846	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
postgresql:13-8060020241128071428.ad008a3a	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:10677	2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a	cpe:/a:redhat:rhel_aus:8.6	RHSA-2024:10705	2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
postgresql:13-8060020241128071428.ad008a3a	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:10677	2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a	cpe:/a:redhat:rhel_tus:8.6	RHSA-2024:10705	2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
postgresql:13-8060020241128071428.ad008a3a	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:10677	2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2024:10705	2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
postgresql:12-8080020241128093923.63b34585	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:10750	2024-12-03T00:00:00Z
postgresql:13-8080020241201154729.63b34585	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:10800	2024-12-04T00:00:00Z
postgresql:15-8080020241201160004.63b34585	cpe:/a:redhat:rhel_eus:8.8	RHSA-2024:10851	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 9
postgresql:15-9050020241122141928.rhel9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10787	2024-12-04T00:00:00Z
postgresql:16-9050020241122142517.rhel9	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10788	2024-12-04T00:00:00Z
postgresql-0:13.18-1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:10791	2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
postgresql-0:13.18-1.el9_0	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2024:10827	2024-12-05T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
postgresql:15-9020020241122142614.rhel9	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:10807	2024-12-04T00:00:00Z
postgresql-0:13.18-1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:10879	2024-12-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
postgresql:16-9040020241125115314.rhel9	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:10593	2024-12-02T00:00:00Z
postgresql-0:13.18-1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:10595	2024-12-02T00:00:00Z
postgresql:15-9040020241121160342.rhel9	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:10736	2024-12-03T00:00:00Z

No data available yet.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Debian DLA	DLA-3954-1	postgresql-13 security update
Debian DSA	DSA-5812-1	postgresql-15 security update
EUVD	EUVD-2024-33389	Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Ubuntu USN	USN-7132-1	PostgreSQL vulnerabilities
Ubuntu USN	USN-7358-1	PostgreSQL vulnerabilities

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.06857.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html
https://nvd.nist.gov/vuln/detail/CVE-2024-10979
https://security.netapp.com/advisory/ntap-20250110-0003/
https://www.cve.org/CVERecord?id=CVE-2024-10979
https://www.postgresql.org/support/security/CVE-2024-10979/

History

Mon, 03 Nov 2025 22:30:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html

Mon, 14 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.02932}`	epss `{'score': 0.02469}`

Tue, 11 Feb 2025 21:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-610
CPEs		cpe:2.3:a:postgresql:postgresql::::::::

Fri, 10 Jan 2025 13:30:00 +0000

Type	Values Removed	Values Added
References		https://security.netapp.com/advisory/ntap-20250110-0003/

Mon, 09 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Els
CPEs		cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Els

Thu, 05 Dec 2024 15:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_eus:9.2

Thu, 05 Dec 2024 02:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_e4s:8.4 cpe:/a:redhat:rhel_tus:8.4

Wed, 04 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat enterprise Linux
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9
Vendors & Products		Redhat enterprise Linux

Wed, 04 Dec 2024 02:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_eus:8.8

Tue, 03 Dec 2024 02:15:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/a:redhat:rhel_aus:8.2~~

Tue, 03 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_tus:8.6
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Tus

Mon, 02 Dec 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.4
Vendors & Products		Redhat Redhat rhel Eus

Mon, 25 Nov 2024 05:45:00 +0000

Type	Values Removed	Values Added
References		https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md

Fri, 22 Nov 2024 14:00:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2024-10979 https://www.cve.org/CVERecord?id=CVE-2024-10979
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 14 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Postgresql Postgresql postgresql
CPEs		cpe:2.3:a:postgresql:postgresql:-:::::::*
Vendors & Products		Postgresql Postgresql postgresql
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 Nov 2024 13:15:00 +0000

Type	Values Removed	Values Added
Description		Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Title		PostgreSQL PL/Perl environment variable changes execute arbitrary code
Weaknesses		CWE-15
References		https://www.postgresql.org/support/security/CVE-2024-10979/
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Postgresql Postgresql

Redhat Enterprise Linux Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Tus

MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published: 2024-11-14T13:00:08.586Z

Updated: 2025-11-03T21:51:41.330Z

Reserved: 2024-11-07T19:27:04.476Z

Link: CVE-2024-10979

Vulnrichment

Updated: 2025-11-03T21:51:41.330Z

NVD

Status : Modified

Published: 2024-11-14T13:15:04.407

Modified: 2025-11-03T22:16:37.020

Link: CVE-2024-10979

Redhat

Severity : Important

Publid Date: 2024-11-14T13:00:08Z

Links: CVE-2024-10979 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object