PostgreSQL Server Error Message Vulnerability Affects Multiple Versions
CVE-2024-10977

3.7LOW

Key Information:

Vendor: PostgreSQL
Status: PostgreSQL
Vendor: CVE Published:; 14 November 2024

Summary

A vulnerability in PostgreSQL allows a compromised server, when using inadequate SSL or GSS settings, to serve arbitrary non-NUL bytes to the libpq application. This can mislead users or automated scripts into thinking that they received valid query results instead of error messages. Particularly in environments where the user interface does not clearly delineate between error messages and other text, this could lead to confusion and potentially exploit opportunities for attackers. Affected versions include those earlier than PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21.

References

https://www.postgresql.org/support/security/CVE-2024-10977/

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2024