CVE-2024-10979
Published: 14 November 2024
Summary
CVE-2024-10979 is a high-severity External Control of System or Configuration Setting (CWE-15) vulnerability in Postgresql Postgresql. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 8.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2024-10979 is an incorrect control of environment variables vulnerability in PostgreSQL's PL/Perl extension. It affects all versions prior to 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21, allowing modification of sensitive process variables such as PATH. The flaw is tracked under CWE-15 and CWE-610 and carries a CVSS 3.1 score of 8.8.
An unprivileged database user can exploit the issue over the network to alter environment variables and achieve arbitrary code execution on the underlying operating system, without requiring a local server account. The attack requires low complexity and no user interaction, enabling privilege escalation from database access to host-level control.
Official advisories from PostgreSQL, Debian LTS, and NetApp direct users to apply the listed patched releases immediately. They also recommend reviewing and restricting PL/Perl usage for untrusted roles and limiting environment-variable inheritance where feasible.
EPSS for the CVE rose from a low baseline to a peak of 0.1571 on 2025-12-11 before receding to the current value of 0.0636, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-33389
Vulnerability details
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.…
more
Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2024-10979 allows unprivileged PostgreSQL PL/Perl users to modify sensitive environment variables like PATH, enabling path interception hijacking (T1574.007) for arbitrary code execution and exploitation for privilege escalation (T1068).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Provides fallback sources for configuration or settings when the primary is externally corrupted or controlled.
The policy and procedures establish internal controls and change management for system configuration settings, reducing the feasibility of external unauthorized modifications.
Baseline configuration under change control directly prevents unauthorized external modification of system or configuration settings.
Requires approval, documentation, and security impact review of all configuration changes, directly preventing unauthorized external control of system settings.
Impact analysis of configuration changes reduces the risk of deploying settings that permit unauthorized external control.
Restricting changes to system and configuration settings prevents external entities from controlling those settings without approval.
Establishing, implementing, approving deviations from, and monitoring configuration settings directly prevents external or unauthorized control of system settings.
The plan defines processes for identifying and managing configuration items, preventing external unauthorized control of system settings.