Cybersecurity researchers have disclosed a high-severity safety flaw within the PostgreSQL open-source database system that might enable unprivileged customers to change atmosphere variables, and probably result in code execution or info disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS rating of 8.8.
Surroundings variables are user-defined values that may enable a program to dynamically fetch varied varieties of data, similar to entry keys and software program set up paths, throughout runtime with out having to hard-code them. In sure working methods, they’re initialized throughout the startup section.
“Incorrect management of atmosphere variables in PostgreSQL PL/Perl permits an unprivileged database consumer to vary delicate course of atmosphere variables (e.g., PATH),” PostgreSQL stated in an advisory launched Thursday.
“That always suffices to allow arbitrary code execution, even when the attacker lacks a database server working system consumer.”
The flaw has been addressed in PostgreSQL variations 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who found the problem, stated it might result in “extreme safety points” relying on the assault state of affairs.
This consists of, however isn’t restricted to, the execution of arbitrary code by modifying atmosphere variables similar to PATH, or extraction of priceless info on the machine by operating malicious queries.
Further particulars of the vulnerability are at the moment being withheld to offer customers sufficient time to use the fixes. Customers are additionally suggested to limit allowed extensions.
“For instance, limiting CREATE EXTENSIONS permission grants to particular extensions and moreover setting the shared_preload_libraries configuration parameter to load solely required extensions, limiting roles from creating capabilities per the precept of least privileges by limiting the CREATE FUNCTION permission,” Varonis stated.
