CVE-2012-0867 — Improper Input Validation in Postgresql

CWE-20 — Improper Input Validation CWE-295 — Improper Certificate Validation7 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

1.9%

top 16.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

11

Debian Linux Opensuse Project Opensuse Postgresql +8 more

Timeline

PublishedJul 18

Latest updateMay 17

Description

PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.

CVSS vector

AV:N/AC:M/C:N/I:P/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages7 packages

▶NVDpostgresql/postgresql21 versions+20

▶NVDopensuse_project/opensuse12.2

▶NVDredhat/desktop_workstation5

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop5.0, 6.0+1

Also affects: Debian Linux 6.0, Enterprise Linux 5.0, 6.2, 6.2.z

🔴Vulnerability Details

2

GHSA

GHSA-r7m2-9mgg-wfjc: PostgreSQL 8↗2022-05-17

▶

CVEList

CVE-2012-0867: PostgreSQL 8↗2012-07-18

▶

📋Vendor Advisories

2

Ubuntu

PostgreSQL vulnerabilities↗2012-02-28

▶

Red Hat

postgresql: MITM due improper x509_v3 CN validation during certificate verification↗2012-02-27

▶

💬Community

2

Bugzilla

CVE-2012-0866 CVE-2012-0867 CVE-2012-0868 postgresql various flaws [fedora-all]↗2012-02-27

▶

Bugzilla

CVE-2012-0867 postgresql: MITM due improper x509_v3 CN validation during certificate verification↗2012-02-27

▶

CVE-2012-0867 — Improper Input Validation in Postgresql | cvebase