CVE-2024-10979: 
PostgreSQL vulnerability analysis and mitigation

A critical security vulnerability (CVE-2024-10979) was discovered in PostgreSQL's PL/Perl implementation that affects multiple versions of PostgreSQL. The vulnerability was disclosed on November 14, 2024, and affects PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. The issue allows unprivileged database users to manipulate sensitive process environment variables, potentially leading to unauthorized code execution (PostgreSQL Advisory).

The vulnerability stems from incorrect control of environment variables in PostgreSQL PL/Perl, which enables unprivileged database users to modify sensitive process environment variables such as PATH. The severity of this vulnerability is rated as HIGH with a CVSS v3.1 base score of 8.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). The vulnerability is classified under CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-15 (External Control of System or Configuration Setting) (NVD, PostgreSQL Advisory).

The exploitation of this vulnerability can lead to severe consequences including arbitrary code execution, even without having operating system user access to the database server. The impact includes potential disclosure of sensitive information, unauthorized modification of data, and possible Denial of Service (DoS). The vulnerability's high severity rating indicates significant risks to system confidentiality, integrity, and availability (NetApp Advisory).

The primary mitigation is to upgrade to the fixed versions: PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21 or later. Additional security measures include restricting permissions for creating PL/Perl functions to trusted users only, implementing proper environment variable sanitization, and regularly auditing database functions to detect potential exploitation attempts (PostgreSQL Advisory).