CVE-2015-0244 — SQL Injection in Postgresql

CWE-89 — SQL Injection CWE-662 — Improper Synchronization CWE-300 — Channel Accessible by Non-Endpoint9 documents8 sources

Severity

9.8CRITICALNVD

EPSS

1.1%

top 22.13%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Postgresql Global Development Group Postgresql Debian Linux

Timeline

PublishedJan 27

Latest updateMay 24

Description

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

▶NVDpostgresql/postgresql9.1.0 — 9.1.15+4

▶CVEListV5postgresql_global_development_group/postgresql5 versions+4

Also affects: Debian Linux 7.0, 8.0

🔴Vulnerability Details

GHSA

GHSA-xvhg-pwg9-qp4r: PostgreSQL before 9↗2022-05-24

▶

CVEList

CVE-2015-0244: PostgreSQL before 9↗2020-01-27

▶

OSV

CVE-2015-0244: PostgreSQL before 9↗2015-02-06

▶

📋Vendor Advisories

Red Hat

postgresql: loss of frontend/backend protocol synchronization after an error↗2015-02-16

▶

Ubuntu

PostgreSQL vulnerabilities↗2015-02-11

▶

Apple

CVE-2015-0244: OS X Server v5.0.3↗

▶

Apple

CVE-2015-0244: OS X Yosemite v10.10.5 and Security Update 2015-006↗

▶

💬Community

Bugzilla

CVE-2015-0244 postgresql: loss of frontend/backend protocol synchronization after an error↗2015-02-03

▶