PostgreSQL 12.x < 12.21 / 13.x < 13.17 / 14.x < 14.14 / 15.x < 15.9 / 16.x < 16.5 / 17.x < 17.1 Multiple Vulnerabilities

high Nessus Plugin ID 211655

Synopsis

The remote database server is affected by multiple vulnerabilities

Description

The version of PostgreSQL installed on the remote host is 12 prior to 12.21, 13 prior to 13.17, 14 prior to 14.14, 15 prior to 15.9, 16 prior to 16.5, or 17 prior to 17.1. As such, it is potentially affected by multiple vulnerabilities :

- Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. (CVE-2024-10979)

- Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. (CVE-2024-10978)

- Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. (CVE-2024-10977)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PostgreSQL 13.17 / 14.14 / 15.9 / 16.5 / 17.1 or later

See Also

http://www.nessus.org/u?e9644dd1

Plugin Details

Severity: High

ID: 211655

File Name: postgresql_20241114.nasl

Version: 1.2

Type: local

Family: Databases

Published: 11/20/2024

Updated: 11/22/2024

Supported Sensors: Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2024-10979

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:postgresql:postgresql

Exploit Ease: No known exploits are available

Patch Publication Date: 11/14/2024

Vulnerability Publication Date: 11/14/2024

Reference Information

CVE: CVE-2024-10976, CVE-2024-10977, CVE-2024-10978, CVE-2024-10979

IAVB: 2024-B-0175