FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PostgreSQL -- PL/Perl environment variable changes execute arbitrary code

Affected packages
postgresql17-plperl < 17.1
postgresql16-plperl < 16.5
postgresql15-plperl < 15.9
postgresql14-plperl < 14.14
postgresql13-plperl < 13.17
postgresql12-plperl < 12.21

Details

VuXML ID a03636f4-a29f-11ef-af48-6cc21735f730
Discovery 2024-11-14
Entry 2024-11-14

PostgreSQL project reports:

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user.

References

CVE Name CVE-2024-10979
URL https://www.postgresql.org/support/security/CVE-2024-10979/