Описание
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | postgresql | Affected | ||
| CloudForms Management Engine 5 | postgresql92-postgresql | Affected | ||
| Red Hat Enterprise Linux 5 | postgresql | Will not fix | ||
| Red Hat Enterprise Linux 5 | postgresql84 | Will not fix | ||
| Red Hat Enterprise Linux 6 | postgresql | Will not fix | ||
| Red Hat Enterprise Linux 7 | postgresql | Fixed | RHSA-2016:2606 | 03.11.2016 |
| Red Hat Satellite 5.7 | rh-postgresql95 | Fixed | RHSA-2017:2425 | 07.08.2017 |
| Red Hat Satellite 5.7 | rh-postgresql95-postgresql | Fixed | RHSA-2017:2425 | 07.08.2017 |
| Red Hat Satellite 5.7 | spacewalk-backend | Fixed | RHSA-2017:2425 | 07.08.2017 |
| Red Hat Satellite 5.7 | spacewalk-postgresql-server | Fixed | RHSA-2017:2425 | 07.08.2017 |
Показывать по
Дополнительная информация
Статус:
8.5 High
CVSS3
6.5 Medium
CVSS2
Связанные уязвимости
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9. ...
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.
8.5 High
CVSS3
6.5 Medium
CVSS2