CVE-2015-0242
Severity CVSS v4.0:
Pending analysis
Type:
CWE-787
Out-of-bounds Write
Publication date:
27/01/2020
Last modified:
31/01/2020
Description
Stack-based buffer overflow in the *printf function implementations in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1, when running on a Windows system, allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a floating point number with a large precision, as demonstrated by using the to_char function.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Base Score 2.0
6.50
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.0.19 (excluding) | |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.1.0 (including) | 9.1.15 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.2.0 (including) | 9.2.10 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.3.0 (including) | 9.3.6 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.4.0 (including) | 9.4.1 (excluding) |
| cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.debian.org/security/2015/dsa-3155
- http://www.postgresql.org/about/news/1569/
- http://www.postgresql.org/docs/9.4/static/release-9-4-1.html
- http://www.postgresql.org/docs/current/static/release-9-0-19.html
- http://www.postgresql.org/docs/current/static/release-9-1-15.html
- http://www.postgresql.org/docs/current/static/release-9-2-10.html
- http://www.postgresql.org/docs/current/static/release-9-3-6.html