Unauthenticated Server Vulnerability in PostgreSQL Affects Libpq Clients
CVE-2022-41862

3.7LOW

Key Information:

Vendor: Postgresql
Status: Postgresql
Vendor: CVE Published:; 3 March 2023

Summary

In certain configurations of PostgreSQL, an unauthenticated server may exploit a flaw during the establishment of Kerberos transport encryption. This can lead to a libpq client over-reading its input, potentially resulting in error messages that reveal uninitialized memory bytes. This could expose sensitive information or allow for further attacks against client applications that rely on PostgreSQL for secure database transactions.

Affected Version(s)

postgresql postgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19

References

https://www.postgresql.org/support/security/CVE-2022-41862/

https://bugzilla.redhat.com/show_bug.cgi?id=2165722

https://security.netapp.com/advisory/ntap-20230427-0002/

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2023
Vulnerability Reserved
Sep 30, 2022