Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
Varonis Warns of Bug Discovered in PostgreSQL PL/Perl
Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.
1 Min Read
Source: tofino via Alamy Stock Photo
Researchers at Varonis discovered a vulnerability within Postgres language extension PL/Perl, allowing a user to set arbitrary environment variables in PostgreSQL session processes.
The vulnerability was given a CVSS 8.8 score for severity and could lead to severe security issues, depending on the scenario where it's exploited.
Tracked as CVE-2024-10979, the flaw allows a threat actor to modify a sensitive environment, ultimately allowing them to execute arbitrary code without accessing a user of the operating system.
The vulnerability also allows a threat actor to run additional queries to gather information on the machine and its contents.
Versions preceding PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected by this vulnerability and can be mitigated by upgrading to PostgreSQL, "to the latest minor version at a minimum," according to the researchers, as well as restricting allowed extensions.
Postgres customers should also examine ddl logs for creation of functions they do not recognize or did not create themselves to assess if they have been impacted.
About the Author
You May Also Like
More Insights
Webinars
The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024Safeguarding GitHub Data to Fuel Web Innovation
Nov 21, 2024
Events
