Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8.
Environment variables are user-defined values that can allow a program to dynamically fetch various kinds of information, such as access keys and software installation paths, during runtime without having to hard-code them. In certain operating systems, they are initialized during the startup phase.
"Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., PATH)," PostgreSQL said in an advisory released Thursday.
"That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user."
The flaw has been addressed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who discovered the issue, said it could lead to "severe security issues" depending on the attack scenario.
This includes, but is not limited to, the execution of arbitrary code by modifying environment variables such as PATH, or extraction of valuable information on the machine by running malicious queries.
Additional details of the vulnerability are currently being withheld to give users enough time to apply the fixes. Users are also advised to restrict allowed extensions.
"For example, limiting CREATE EXTENSIONS permission grants to specific extensions and additionally setting the shared_preload_libraries configuration parameter to load only required extensions, limiting roles from creating functions per the principle of least privileges by restricting the CREATE FUNCTION permission," Varonis said.