Cybersecurity researchers have disclosed a high-severity security flaw within the PostgreSQL open-source database system that might enable unprivileged customers to change setting variables, and doubtlessly result in code execution or data disclosure.
The vulnerability, tracked as CVE-2024-10979, carries a CVSS rating of 8.8.
Setting variables are user-defined values that may enable a program to dynamically fetch numerous varieties of data, reminiscent of entry keys and software program set up paths, throughout runtime with out having to hard-code them. In sure working methods, they’re initialized in the course of the startup section.
“Incorrect management of setting variables in PostgreSQL PL/Perl permits an unprivileged database person to vary delicate course of setting variables (e.g., PATH),” PostgreSQL stated in an advisory launched Thursday.
“That always suffices to allow arbitrary code execution, even when the attacker lacks a database server working system person.”
The flaw has been addressed in PostgreSQL variations 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Varonis researchers, Tal Peleg and Coby Abrams, who found the difficulty, stated it may result in “extreme security points” relying on the assault state of affairs.
This contains, however will not be restricted to, the execution of arbitrary code by modifying setting variables reminiscent of PATH, or extraction of invaluable data on the machine by working malicious queries.
Further particulars of the vulnerability are at the moment being withheld to present customers sufficient time to use the fixes. Customers are additionally suggested to limit allowed extensions.
“For instance, limiting CREATE EXTENSIONS permission grants to particular extensions and moreover setting the shared_preload_libraries configuration parameter to load solely required extensions, limiting roles from creating capabilities per the precept of least privileges by proscribing the CREATE FUNCTION permission,” Varonis stated.
