Cybersecurity researchers have disclosed a high-severity safety flaw within the PostgreSQL open-source database system that would enable unprivileged customers to change setting variables, and probably result in code execution or data disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS rating of 8.8.
Atmosphere variables are user-defined values that may enable a program to dynamically fetch varied sorts of knowledge, equivalent to entry keys and software program set up paths, throughout runtime with out having to hard-code them. In sure working techniques, they’re initialized in the course of the startup section.
“Incorrect management of setting variables in PostgreSQL PL/Perl permits an unprivileged database consumer to alter delicate course of setting variables (e.g., PATH),” PostgreSQL mentioned in an advisory launched Thursday.
“That usually suffices to allow arbitrary code execution, even when the attacker lacks a database server working system consumer.”
The flaw has been addressed in PostgreSQL variations 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who found the problem, mentioned it may result in “extreme safety points” relying on the assault state of affairs.
This contains, however will not be restricted to, the execution of arbitrary code by modifying setting variables equivalent to PATH, or extraction of helpful data on the machine by operating malicious queries.
Further particulars of the vulnerability are at the moment being withheld to offer customers sufficient time to use the fixes. Customers are additionally suggested to limit allowed extensions.
“For instance, limiting CREATE EXTENSIONS permission grants to particular extensions and moreover setting the shared_preload_libraries configuration parameter to load solely required extensions, limiting roles from creating capabilities per the precept of least privileges by proscribing the CREATE FUNCTION permission,” Varonis mentioned.