CVE-2015-0244
Severity CVSS v4.0:
Pending analysis
Type:
CWE-89
SQL Injection
Publication date:
27/01/2020
Last modified:
31/01/2020
Description
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.0.19 (excluding) | |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.1.0 (including) | 9.1.15 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.2.0 (including) | 9.2.10 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.3.0 (including) | 9.3.6 (excluding) |
| cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* | 9.4.0 (including) | 9.4.1 (excluding) |
| cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://www.debian.org/security/2015/dsa-3155
- http://www.postgresql.org/about/news/1569/
- http://www.postgresql.org/docs/9.4/static/release-9-4-1.html
- http://www.postgresql.org/docs/current/static/release-9-0-19.html
- http://www.postgresql.org/docs/current/static/release-9-1-15.html
- http://www.postgresql.org/docs/current/static/release-9-2-10.html
- http://www.postgresql.org/docs/current/static/release-9-3-6.html