CVE-2024-10977 — Use of Less Trusted Source in Postgresql
Severity
3.7LOWNVD
CNA3.1OSV5.4
EPSS
0.3%
top 42.89%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedNov 14
Latest updateMar 19
Description
Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17…
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 2.2 | Impact: 1.4
Affected Packages9 packages
🔴Vulnerability Details
5GHSA▶
GHSA-62q4-hc79-94qj: Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to t↗2024-11-14
OSV▶
CVE-2024-10977: Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to t↗2024-11-14
📋Vendor Advisories
5Debian▶
CVE-2024-10977: postgresql-13 - Client use of server error message in PostgreSQL allows a server not trusted und...↗2024