CVE-2024-10979

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Published: Nov 14, 2024
Updated: May 4, 2025
CVE: CVE-2024-10979
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-610

Affected Software
References

Software	From	Fixed in
postgresql / postgresql	17.0	17.1
postgresql / postgresql	16.0	16.5
postgresql / postgresql	15.0	15.9
postgresql / postgresql	14.0	14.14
postgresql / postgresql	13.0	13.17
postgresql / postgresql	12.0	12.21

https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md
https://security.netapp.com/advisory/ntap-20250110-0003/
https://www.postgresql.org/support/security/CVE-2024-10979/

Vulnerability Database

289,599

CVE-2024-10979