VDB
ALPINE-CVE-2024-10979
ALPINE-CVE-2024-10979
PUBLISHED
CVSS 8.800000190734863 HIGH
Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Risk Scores
CVSS v3.1
8.800000190734863
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.17 | postgresql14 | 14.1-r0, 9.3.5-r0, 9.3.4-r0 |
| Alpine:v3.17 | postgresql15 | 15.1-r0, 15.2-r0, 15.3-r0 |
| Alpine:v3.19 | postgresql16 | 16.0-r1, 0, 16.0-r0 |
| Alpine:v3.21 | postgresql17 | 0, 17.0-r1, 17.0-r0 |
| Alpine:v3.20 | postgresql16 | 16.2-r4, 16.3-r0, 16.4-r0 |
| Alpine:v3.22 | postgresql16 | 16.4-r1, 16.2-r0, 16.0-r2 |
| Alpine:v3.23 | postgresql17 | 0, 17.0-r1, 17.0-r0 |
| Alpine:v3.22 | postgresql17 | 0, 17.0-r0, 17.0-r1 |
| Alpine:v3.19 | postgresql15 | 0, 0, 15.1-r0 |
| Alpine:v3.21 | postgresql16 | 16.0-r0, 16.0-r1, 16.0-r2 |
| Alpine:v3.18 | postgresql14 | 11.0-r0, 11.1-r0, 11.2-r0 |
| Alpine:v3.18 | postgresql15 | 15.6-r0, 15.3-r0, 15.2-r1 |
| Alpine:v3.20 | postgresql15 | 15.4-r1, 15.5-r0, 15.6-r0 |
Timeline
- Nov 14, 2024 CVE Published
- Dec 3, 2025 CVE Updated
- Apr 30, 2026 Distribution Patch