CVE-2022-41862
published 2023-03-03CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain…
low3.7CVSS 3.1
AVNACHPRNUINSUCLINAN
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | postgresql-13 | < postgresql-13 13.10-0+deb11u1 (bullseye) | postgresql-13 13.10-0+deb11u1 (bullseye) |
| debian | postgresql-15 | < postgresql-13 13.10-0+deb11u1 (bullseye) | postgresql-13 13.10-0+deb11u1 (bullseye) |
| fedoraproject | fedora | — | — |
| msrc | cbl2_postgresql_14.10-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl_mariner_2.0_arm | — | — |
| msrc | cbl_mariner_2.0_x64 | — | — |
| msrc | cm1_postgresql_12.15-1_on_cbl_mariner_1.0 | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | >= 12.0 < 12.14 | 12.14 |
| postgresql | postgresql | >= 13.0 < 13.10 | 13.10 |
| postgresql | postgresql | >= 14.0 < 14.7 | 14.7 |
| postgresql | postgresql | >= 15.0 < 15.2 | 15.2 |
| redhat | enterprise_linux | — | — |
CVSS provenance
nvdv3.13.7LOWCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
osv3.7LOW
GHSA
GHSA-fr68-cm8v-7vv6: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
ghsa_unreviewed·2023-03-03
CVE-2022-41862 [LOW] CWE-200 GHSA-fr68-cm8v-7vv6: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
OSV
CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
osv·2023-03-03·CVSS 3.7
CVE-2022-41862 [LOW] CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
CISA ICS
Siemens SCALANCE XCM-/XRM-300
cisa_ics·2024-02-15
Siemens SCALANCE XCM-/XRM-300
ICS Advisory
##
Siemens SCALANCE XCM-/XRM-300
Release DateFebruary 15, 2024
Alert CodeICSA-24-046-11
As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services | Siemens Global).
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE XCM-/XRM-300
- Vulnerabilities: Out-of-bounds Write, Incorrect Type Conversion or Cast, Improper Verification of Cryptographic Signature, Improper Access Control, Improper Authentication, Missing Encryption
Microsoft
In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to ov
vendor_msrc·2023-03-14·CVSS 3.7
CVE-2022-41862 [LOW] CWE-200 In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to ov
In PostgreSQL a modified unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information.
Ubuntu
PostgreSQL vulnerability
vendor_ubuntu·2023-03-02
CVE-2022-41862 PostgreSQL vulnerability
Title: PostgreSQL vulnerability
Summary: PostgreSQL could be made to expose sensitive information over the network.
Jacob Champion discovered that the PostgreSQL client incorrectly handled
Kerberos authentication. If a user or automated system were tricked into
connecting to a malicious server, a remote attacker could possibly use this
issue to obtain sensitive information.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. After a standard system update you need to restart PostgreSQL to
make all the necessary changes.
Red Hat
postgresql: Client memory disclosure when connecting with Kerberos to modified server
vendor_redhat·2023-02-09·CVSS 3.7
CVE-2022-41862 [LOW] CWE-200 postgresql: Client memory disclosure when connecting with Kerberos to modified server
postgresql: Client memory disclosure when connecting with Kerberos to modified server
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
A flaw was found In PostgreSQL. A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions, a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Package: quarkus-jdbc-postgresql-deployment (Red Hat build of Apicurio Registry 2) - Not affected
Package: org.postgresql/postgresql (Red Hat build of Q
Debian
CVE-2022-41862: postgresql-13 - In PostgreSQL, a modified, unauthenticated server can send an unterminated strin...
vendor_debian·2022·CVSS 3.7
CVE-2022-41862 [LOW] CVE-2022-41862: postgresql-13 - In PostgreSQL, a modified, unauthenticated server can send an unterminated strin...
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Scope: local
bullseye: resolved (fixed in 13.10-0+deb11u1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=2165722https://security.netapp.com/advisory/ntap-20230427-0002/https://www.postgresql.org/support/security/CVE-2022-41862/https://bugzilla.redhat.com/show_bug.cgi?id=2165722https://security.netapp.com/advisory/ntap-20230427-0002/https://www.postgresql.org/support/security/CVE-2022-41862/
2023-03-03
Published