CVE-2022-41862 — Sensitive Information Exposure in Postgresql
Severity
3.7LOWNVD
EPSS
0.3%
top 44.88%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 3
Latest updateFeb 15
Description
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:NExploitability: 2.2 | Impact: 1.4
Affected Packages2 packages
▶CVEListV5postgresql/postgresqlpostgresql 5.2, postgresql 14.7, postgresql 13.10, postgresql 12.14, postgresql 11.19
Also affects: Fedora 8, Enterprise Linux 8.0
🔴Vulnerability Details
3GHSA▶
GHSA-fr68-cm8v-7vv6: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption↗2023-03-03
OSV▶
CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption↗2023-03-03
CVEList▶
CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption↗2023-03-03
📋Vendor Advisories
5Microsoft▶
In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to ov↗2023-03-14
Red Hat
▶
Debian▶
CVE-2022-41862: postgresql-13 - In PostgreSQL, a modified, unauthenticated server can send an unterminated strin...↗2022