SQL Injection Vulnerability in PostgreSQL Database by PostgreSQL Global Development Group
CVE-2015-0244

9.8CRITICAL

Key Information:

Vendor
Postgresql Global Development Group
Status
Postgresql
Vendor
CVE Published:
27 January 2020

Summary

The vulnerability in PostgreSQL allows remote attackers to exploit improper error handling while reading protocol messages. By sending crafted binary data as a parameter, an attacker can trigger a loss of synchronization in the protocol, effectively causing part of the message to be processed as a new one. This can lead to unauthorized SQL command execution and potentially compromise the database integrity.

Affected Version(s)

PostgreSQL before 9.0.19

PostgreSQL 9.1.x before 9.1.15

PostgreSQL 9.2.x before 9.2.10

References

http://www.postgresql.org/docs/9.4/static/release-9-4-1.html
x_refsource_CONFIRM
http://www.postgresql.org/docs/current/static/release-9-0...
x_refsource_CONFIRM
http://www.postgresql.org/docs/current/static/release-9-1...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.