High-risk security vulnerability in PostgreSQL: Gitlab has not (yet) patched it

A known vulnerability allows simple users to inject commands into PostgreSQL. There is an update. GitLab has not yet installed it.

(Image: LuckyStep/Shutterstock.com)

Update Nov 29, 2024 at 10:40 am CET

1 min. read

Developer

By

Wolf Hosbach

Although a major PostgreSQL security problem has been known since November 18, GitLab has not applied the corresponding patches. One of the vulnerabilities allows unprivileged attackers to execute arbitrary code in the database.

Postgres rates this vulnerability CVE-2024-10979 as 8.8 out of 10 on the CVSS 3.0 scale. Users without administrator rights can change system variables, such as PATH, and use them to execute arbitrary code.

Videos by heise

Postgres has already fixed the vulnerabilities with an update and recommends that versions 12.21, 13.17, 14.14, 15.9, 16.5 and 17.1 be installed immediately. As in March, readers pointed out to us that GitLab is still holding on to the old, vulnerable versions 14.11 and 16.4 and is delaying the updates.

The editorial team asked GitLab for a statement. They have not yet been able to respond immediately.

(who)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.