Cybersecurity researchers have disclosed a high-severity safety flaw within the PostgreSQL open-source database gadget that would permit unprivileged customers to change atmosphere variables, and probably result in code execution or data disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS rating of 8.8.
Atmosphere variables are user-defined values that may permit a program to dynamically fetch more than a few sorts of data, reminiscent of get right of entry to keys and tool set up paths, all the way through runtime with no need to hard-code them. In sure running programs, they’re initialized all the way through the startup segment.
“Improper keep an eye on of atmosphere variables in PostgreSQL PL/Perl permits an unprivileged database consumer to modify delicate procedure atmosphere variables (e.g., PATH),” PostgreSQL stated in an advisory launched Thursday.
“That incessantly suffices to permit arbitrary code execution, even though the attacker lacks a database server running gadget consumer.”
The flaw has been addressed in PostgreSQL variations 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who found out the problem, stated it would result in “serious safety problems” relying at the assault state of affairs.
This contains, however isn’t restricted to, the execution of arbitrary code via editing atmosphere variables reminiscent of PATH, or extraction of precious data at the device via operating malicious queries.
Further main points of the vulnerability are these days being withheld to present customers sufficient time to use the fixes. Customers also are instructed to limit allowed extensions.
“For instance, proscribing CREATE EXTENSIONS permission grants to express extensions and moreover environment the shared_preload_libraries configuration parameter to load best required extensions, proscribing roles from developing purposes in keeping with the main of least privileges via proscribing the CREATE FUNCTION permission,” Varonis stated.