REDHAT-BUG-2326253
First published: Thu Nov 14 2024(Updated: )
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL Common | <17.1<16.5<15.9<14.14<13.17<12.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:10595
- https://access.redhat.com/errata/RHSA-2024:10593
- https://access.redhat.com/errata/RHSA-2024:10677
- https://access.redhat.com/errata/RHSA-2024:10705
- https://access.redhat.com/errata/RHSA-2024:10736
- https://access.redhat.com/errata/RHSA-2024:10739
- https://access.redhat.com/errata/RHSA-2024:10750
- https://access.redhat.com/errata/RHSA-2024:10785
- https://access.redhat.com/errata/RHSA-2024:10788
- https://access.redhat.com/errata/RHSA-2024:10787
- https://access.redhat.com/errata/RHSA-2024:10789
- https://access.redhat.com/errata/RHSA-2024:10791
- https://access.redhat.com/errata/RHSA-2024:10800
- https://access.redhat.com/errata/RHSA-2024:10807
- https://access.redhat.com/errata/RHSA-2024:10827
- https://access.redhat.com/errata/RHSA-2024:10830
- https://access.redhat.com/errata/RHSA-2024:10832
- https://access.redhat.com/errata/RHSA-2024:10831
- https://access.redhat.com/errata/RHSA-2024:10846
- https://access.redhat.com/errata/RHSA-2024:10851
- https://access.redhat.com/errata/RHSA-2024:10879
- https://access.redhat.com/errata/RHSA-2024:10882
- https://bugzilla.redhat.com/show_bug.cgi?id=2326253
Frequently Asked Questions
What is the severity of REDHAT-BUG-2326253?
The severity of REDHAT-BUG-2326253 is high due to the potential for arbitrary code execution.
How do I fix REDHAT-BUG-2326253?
To fix REDHAT-BUG-2326253, upgrade to a version of PostgreSQL that is 17.1 or higher, or 16.5 or higher, or 15.9 or higher, or 14.14 or higher, or 13.17 or higher, or 12.21 or higher.
Which versions are affected by REDHAT-BUG-2326253?
Versions of PostgreSQL prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by REDHAT-BUG-2326253.
What types of attacks can exploit REDHAT-BUG-2326253?
REDHAT-BUG-2326253 can be exploited for arbitrary code execution by altering sensitive process environment variables.
Who can be affected by REDHAT-BUG-2326253?
An unprivileged database user can be affected by REDHAT-BUG-2326253, as it allows them to change sensitive environment variables.
- agent/severity
- agent/description
- agent/event
- agent/type
- agent/first-publish-date
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-10979
- agent/last-modified-date
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/postgresql
- canonical/postgresql common