CVE-2024-10979 HIGH

CVE-2024-10979: PostgreSQL PL/Perl environment variable changes execute arbitrary code

Vendor N/A
Product PostgreSQL
Weakness CWE-15
Published November 14, 2024
Last update November 3, 2025

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Key dates

02Disclosure timeline

November 14, 2024 CVE published
November 3, 2025 Record updated