Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.06857.

Exploitation none

Automatable no

Technical Impact total

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions
n/a PostgreSQL unaffected
Version Status Constraints
17 affected < 17.1
16 affected < 16.5
15 affected < 15.9
14 affected < 14.14
13 affected < 13.17
0 affected < 12.21

Configuration 1 [-]

OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
Package CPE Advisory Released Date
Red Hat Enterprise Linux 7 Extended Lifecycle Support
postgresql-0:9.2.24-9.el7_9.2 cpe:/o:redhat:rhel_els:7 RHSA-2024:10882 2024-12-09T00:00:00Z
Red Hat Enterprise Linux 8
postgresql:12-8100020241122084405.489197e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:10785 2024-12-04T00:00:00Z
postgresql:15-8100020241122084744.489197e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:10830 2024-12-05T00:00:00Z
postgresql:16-8100020241122085009.489197e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:10831 2024-12-05T00:00:00Z
postgresql:13-8100020241122084628.489197e6 cpe:/a:redhat:enterprise_linux:8 RHSA-2024:10832 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
postgresql:12-8020020241126122642.4cda2c84 cpe:/a:redhat:rhel_aus:8.2 RHSA-2024:10739 2024-12-03T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
postgresql:12-8040020241129070850.522a0ee4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:10789 2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4 cpe:/a:redhat:rhel_aus:8.4 RHSA-2024:10846 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Telecommunications Update Service
postgresql:12-8040020241129070850.522a0ee4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:10789 2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4 cpe:/a:redhat:rhel_tus:8.4 RHSA-2024:10846 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
postgresql:12-8040020241129070850.522a0ee4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:10789 2024-12-04T00:00:00Z
postgresql:13-8040020241127111253.522a0ee4 cpe:/a:redhat:rhel_e4s:8.4 RHSA-2024:10846 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
postgresql:13-8060020241128071428.ad008a3a cpe:/a:redhat:rhel_aus:8.6 RHSA-2024:10677 2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a cpe:/a:redhat:rhel_aus:8.6 RHSA-2024:10705 2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
postgresql:13-8060020241128071428.ad008a3a cpe:/a:redhat:rhel_tus:8.6 RHSA-2024:10677 2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a cpe:/a:redhat:rhel_tus:8.6 RHSA-2024:10705 2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
postgresql:13-8060020241128071428.ad008a3a cpe:/a:redhat:rhel_e4s:8.6 RHSA-2024:10677 2024-12-02T00:00:00Z
postgresql:12-8060020241128124027.ad008a3a cpe:/a:redhat:rhel_e4s:8.6 RHSA-2024:10705 2024-12-02T00:00:00Z
Red Hat Enterprise Linux 8.8 Extended Update Support
postgresql:12-8080020241128093923.63b34585 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:10750 2024-12-03T00:00:00Z
postgresql:13-8080020241201154729.63b34585 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:10800 2024-12-04T00:00:00Z
postgresql:15-8080020241201160004.63b34585 cpe:/a:redhat:rhel_eus:8.8 RHSA-2024:10851 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 9
postgresql:15-9050020241122141928.rhel9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:10787 2024-12-04T00:00:00Z
postgresql:16-9050020241122142517.rhel9 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:10788 2024-12-04T00:00:00Z
postgresql-0:13.18-1.el9_5 cpe:/a:redhat:enterprise_linux:9 RHSA-2024:10791 2024-12-04T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
postgresql-0:13.18-1.el9_0 cpe:/a:redhat:rhel_e4s:9.0 RHSA-2024:10827 2024-12-05T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
postgresql:15-9020020241122142614.rhel9 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:10807 2024-12-04T00:00:00Z
postgresql-0:13.18-1.el9_2 cpe:/a:redhat:rhel_eus:9.2 RHSA-2024:10879 2024-12-09T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
postgresql:16-9040020241125115314.rhel9 cpe:/a:redhat:rhel_eus:9.4 RHSA-2024:10593 2024-12-02T00:00:00Z
postgresql-0:13.18-1.el9_4 cpe:/a:redhat:rhel_eus:9.4 RHSA-2024:10595 2024-12-02T00:00:00Z
postgresql:15-9040020241121160342.rhel9 cpe:/a:redhat:rhel_eus:9.4 RHSA-2024:10736 2024-12-03T00:00:00Z

No data.

Project Subscriptions

Vendors Products
Postgresql Subscribe
Postgresql Subscribe
Redhat Subscribe
Enterprise Linux Subscribe
Rhel Aus Subscribe
Rhel E4s Subscribe
Rhel Els Subscribe
Rhel Eus Subscribe
Rhel Tus Subscribe
Advisories
Source ID Title
Debian DLA Debian DLA DLA-3954-1 postgresql-13 security update
Debian DSA Debian DSA DSA-5812-1 postgresql-15 security update
EUVD EUVD EUVD-2024-33389 Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Ubuntu USN Ubuntu USN USN-7132-1 PostgreSQL vulnerabilities
Ubuntu USN Ubuntu USN USN-7358-1 PostgreSQL vulnerabilities
Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References
Link Providers
https://github.com/fmora50591/postgresql-env-vuln/blob/main/README.md cve-icon
https://lists.debian.org/debian-lts-announce/2024/11/msg00011.html cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2024-10979 cve-icon
https://security.netapp.com/advisory/ntap-20250110-0003/ cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-10979 cve-icon
https://www.postgresql.org/support/security/CVE-2024-10979/ cve-icon cve-icon cve-icon
History

Mon, 03 Nov 2025 22:30:00 +0000

Type Values Removed Values Added
References

Mon, 14 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.02932}

 epss

{'score': 0.02469}

Tue, 11 Feb 2025 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-610
CPEs cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Fri, 10 Jan 2025 13:30:00 +0000

Type Values Removed Values Added
References

Mon, 09 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Els
CPEs cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Els

Thu, 05 Dec 2024 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_eus:9.2

Thu, 05 Dec 2024 02:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_e4s:8.4
cpe:/a:redhat:rhel_tus:8.4

Wed, 04 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat enterprise Linux
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
Vendors & Products Redhat enterprise Linux

Wed, 04 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_eus:8.8

Tue, 03 Dec 2024 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:rhel_aus:8.2

Tue, 03 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus
CPEs cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_tus:8.6
Vendors & Products Redhat rhel Aus
Redhat rhel E4s
Redhat rhel Tus

Mon, 02 Dec 2024 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat rhel Eus
CPEs cpe:/a:redhat:rhel_eus:9.4
Vendors & Products Redhat
Redhat rhel Eus

Mon, 25 Nov 2024 05:45:00 +0000

Type Values Removed Values Added
References

Fri, 22 Nov 2024 14:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 14 Nov 2024 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Postgresql
Postgresql postgresql
CPEs cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:*:*:*
Vendors & Products Postgresql
Postgresql postgresql
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 14 Nov 2024 13:15:00 +0000

Type Values Removed Values Added
Description Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Title PostgreSQL PL/Perl environment variable changes execute arbitrary code
Weaknesses CWE-15
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: PostgreSQL

Published:

Updated: 2025-11-03T21:51:41.330Z

Reserved: 2024-11-07T19:27:04.476Z

Link: CVE-2024-10979

cve-icon Vulnrichment

Updated: 2025-11-03T21:51:41.330Z

cve-icon NVD

Status : Modified

Published: 2024-11-14T13:15:04.407

Modified: 2025-11-03T22:16:37.020

Link: CVE-2024-10979

cve-icon Redhat

Severity : Important

Publid Date: 2024-11-14T13:00:08Z

Links: CVE-2024-10979 - Bugzilla

cve-icon OpenCVE Enrichment

No data.

Weaknesses