CVE-2015-3167 — Sensitive Information Exposure in Postgresql

CWE-200 — Sensitive Information Exposure CWE-209 — Information Exposure via Error Message9 documents8 sources

Severity

7.5HIGHNVD

EPSS

1.8%

top 17.12%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Postgresql Global Development Group Postgresql Canonical Ubuntu Linux +1 more

Timeline

PublishedNov 20

Latest updateMay 24

Description

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDpostgresql/postgresql9.1 — 9.1.16+4

▶CVEListV5postgresql_global_development_group/postgresql5 versions+4

Also affects: Debian Linux 7.0, 8.0, 9.0, Ubuntu Linux 12.04, 14.04, 14.10, 15.04

🔴Vulnerability Details

GHSA

GHSA-xj65-3378-xxg3: contrib/pgcrypto in PostgreSQL before 9↗2022-05-24

▶

CVEList

CVE-2015-3167: contrib/pgcrypto in PostgreSQL before 9↗2019-11-20

▶

OSV

postgresql-9.1, postgresql-9.3, postgresql-9.4 vulnerabilities↗2015-05-25

▶

OSV

CVE-2015-3167: contrib/pgcrypto in PostgreSQL before 9↗2015-05-22

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2015-05-25

▶

Red Hat

postgresql: pgcrypto has multiple error messages for decryption with an incorrect key.↗2015-05-22

▶

Apple

CVE-2015-3167: OS X Server v5.0.3↗

▶

💬Community

Bugzilla

CVE-2015-3167 postgresql: pgcrypto has multiple error messages for decryption with an incorrect key.↗2015-05-14

▶