Externally Controlled Reference to a Resource in Another Sphere

CVE-2024-10979

High

8.8/10

Summary

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g., "PATH"). This often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. This issue affects PostgreSQL versions 12.x prior to 12.21, 13.x prior to 13.17, 14.x prior to 14.14, 15.x prior to 15.9, 16.x prior to 16.5, and 17.x prior to 17.1.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: LOW
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.

References

Advisory
Disclosure
Official
Issue

Advisory Timeline

Published Nov 14, 2024

Externally Controlled Reference to a Resource in Another Sphere

CVE-2024-10979

Summary

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS