Уязвимость утечки конфиденциальной информации через некорректную обработку ошибок в функции snprintf в PostgreSQL
Описание
В реализации функции snprintf в PostgreSQL до версий 9.0.20, 9.1.x до 9.1.16, 9.2.x до 9.2.11, 9.3.x до 9.3.7 и 9.4.x до 9.4.2 некорректно обрабатываются ошибки системных вызовов. Это позволяет злоумышленникам получить конфиденциальную информацию или произвести другие неуказанные воздействия через неизвестные векторы, как это демонстрируется ошибкой нехватки памяти.
Затронутые версии ПО
- PostgreSQL до 9.0.20
- 9.1.x до 9.1.16
- 9.2.x до 9.2.11
- 9.3.x до 9.3.7
- 9.4.x до 9.4.2
Тип уязвимости
- Утечка конфиденциальной информации
Ссылки
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Vendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
- Release NotesVendor Advisory
Уязвимые конфигурации
Одно из
Одно из
Одно из
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2
Дефекты
Связанные уязвимости
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before ...
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.
EPSS
9.8 Critical
CVSS3
7.5 High
CVSS2