Security researchers have discovered that a vulnerability in PostgreSQL has the potential to compromise the security of countless databases worldwide
This vulnerability is tracked as CVE-2024-10979, with a CVSS score of 8.8 affects PostgreSQL version before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 is vulnerable.
The vulnerability allows unprivileged users to manipulate environment variables within the PostgreSQL PL/Perl extension running the database. By altering these variables, an attacker could potentially execute malicious code, eventually stealing data or taking control of the system.
Mitigation strategies include patching your PostgreSQL installation immediately to versions 17.1, 16.5, 15.9, 14.14, 13.17, or 12.21. These updated versions contain the fix for this vulnerability.
By updating the PostgreSQL to the latest minor version and restricting allowed extensions. This includes limiting CREATE EXTENSIONS permission grants to specific extensions and setting the shared_preload_libraries configuration parameter to load only required ones.
Limiting the users on installing extensions in a database can prevent attackers from exploiting vulnerabilities and grant users the least privilege to minimize damage.
This research was documented by researchers from Varonis
