CVE-2014-8161 — Information Exposure via Error Message in Postgresql

CWE-209 — Information Exposure via Error Message CWE-662 — Improper Synchronization CWE-300 — Channel Accessible by Non-Endpoint10 documents8 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 27.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Postgresql Global Development Group Postgresql Debian Linux

Timeline

PublishedJan 27

Latest updateMay 17

Description

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶NVDpostgresql/postgresql9.1.0 — 9.1.15+4

▶CVEListV5postgresql_global_development_group/postgresql5 versions+4

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-qxj3-8772-4f6w: PostgreSQL before 9↗2022-05-17

▶

CVEList

CVE-2014-8161: PostgreSQL before 9↗2020-01-27

▶

OSV

postgresql-8.4, postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities↗2015-02-11

▶

OSV

CVE-2014-8161: PostgreSQL before 9↗2015-02-06

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2015-02-11

▶

Red Hat

postgresql: information leak through constraint violation errors↗2015-02-05

▶

Apple

CVE-2014-8161: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

Apple

CVE-2014-8161: OS X Server v5.0.3↗

▶

💬Community

Bugzilla

CVE-2014-8161 postgresql: information leak through constraint violation errors↗2015-01-14

▶