Cybersecurity researchers have disclosed a high-severity safety flaw within the PostgreSQL open-source database system that might permit unprivileged customers to change surroundings variables, and doubtlessly result in code execution or data disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS rating of 8.8.
Surroundings variables are user-defined values that may permit a program to dynamically fetch numerous sorts of data, resembling entry keys and software program set up paths, throughout runtime with out having to hard-code them. In sure working methods, they’re initialized in the course of the startup part.
“Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH),” PostgreSQL mentioned in an advisory launched Thursday.
“That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.”
The flaw has been addressed in PostgreSQL variations 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who found the difficulty, mentioned it might result in “severe security issues” relying on the assault state of affairs.
This contains, however just isn’t restricted to, the execution of arbitrary code by modifying surroundings variables resembling PATH, or extraction of useful data on the machine by operating malicious queries.
Extra particulars of the vulnerability are at the moment being withheld to present customers sufficient time to use the fixes. Customers are additionally suggested to limit allowed extensions.
“For example, limiting CREATE EXTENSIONS permission grants to specific extensions and additionally setting the shared_preload_libraries configuration parameter to load only required extensions, limiting roles from creating functions per the principle of least privileges by restricting the CREATE FUNCTION permission,” Varonis mentioned.
