#postgres

Cybersecurity researchers have disclosed a high-severity security flaw in the PostgreSQL open-source database system that could allow unprivileged users to alter environment variables, and potentially lead to code execution or information disclosure. The vulnerability, tracked as CVE-2024-10979, carries a CVSS score of 8.8. Environment variables are user-defined values that can allow a program

Several versions of PostgreSQL are impacted, and customers will need to upgrade in order to patch.

CISOs understand the risk scenarios that can help create safeguards so everyone can use AI safely and focus on the technology's promises and opportunities.

**What privileges could be gained by an attacker who successfully exploited the vulnerability?** An attacker who successfully exploits this vulnerability would gain the same privileges as the SuperUser role.

**How could an attacker exploit this vulnerability?** An attacker with the administrator role of "azure\_pg\_admin" in the target environment could exploit this vulnerability to gain the same privileges as a SuperUser by sending a specially crafted request to an Azure Database for PostgreSQL Flexible Server with specific non-default functionality enabled.

IBM Security Verify Access versions prior to 10.0.8 suffer from authentication bypass, reuse of private keys, local privilege escalation, weak settings, outdated libraries, missing password, hardcoded secrets, remote code execution, missing authentication, null pointer dereference, and lack of privilege separation vulnerabilities.

### Impact _What kind of vulnerability is it? Who is impacted?_ In certain *very specific* situations, it was possible for the policies of an update action to be skipped. This occurred only on "empty" update actions (no changing fields), and would allow their hooks (side effects) to be performed when they should not have been. Note that this does not allow reading new data that the user should not have had access to, only triggering a side effect a user should not have been able to trigger. You must have an update action that: - Is on a resource with no attributes containing an "update default" (updated_at timestamp, for example) - can be performed atomically. - Does *not* have `require_atomic? false` - Has at least one authorizer (typically `Ash.Policy.Authorizer`) - Has at least one `change` (on the resource's `changes` block or in the action itself) This is where the side-effects would be performed when they should not have been. --- - Is there ever a place where you call t...

Ubuntu Security Notice 6968-3 - USN-6968-1 fixedCVE-2024-7348 in PostgreSQL-12, PostgreSQL-14, and PostgreSQL-16. This update provides the corresponding updates for PostgreSQL-9.3 in Ubuntu 14.04 LTS and PostgreSQL-10 in Ubuntu 18.04 LTS. Noah Misch discovered that PostgreSQL incorrectly handled certain SQL objects. An attacker could possibly use this issue to execute arbitrary SQL functions as the superuser.

Acronis Cyber Infrastructure version 5.0.1-61 suffers from a cross site request forgery vulnerability.

### Summary The endpoint `/site-structure/localizer/save-string/:lang/:defstring` accepts two parameter values: `lang` and `defstring`. These values are used in an unsafe way to set the keys and value of the `cfgStrings` object. It allows to add/modify properties of the `Object prototype` that result in several logic issues, including: - RCE vulnerabilities by polluting the `tempRootFolder` property - SQL injection vulnerabilities by polluting the `schema` property when using `PostgreSQL` database. ### Details - file: https://github.com/saltcorn/saltcorn/blob/v1.0.0-beta.13/packages/server/routes/infoarch.js#L236-L239 ```js router.post( "/localizer/save-string/:lang/:defstring", isAdmin, error_catcher(async (req, res) => { const { lang, defstring } = req.params; // source const cfgStrings = getState().getConfigCopy("localizer_strings"); if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value); // [1] sink else cfgStrings[lang] = { [defstring]...