A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode
, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.
The PostgreSQL project thanks Jacob Champion for reporting this problem.
Affected Version | Fixed In | Fix Published |
---|---|---|
15 | 15.2 | Feb. 9, 2023 |
14 | 14.7 | Feb. 9, 2023 |
13 | 13.10 | Feb. 9, 2023 |
12 | 12.14 | Feb. 9, 2023 |
For more information about PostgreSQL versioning, please visit the versioning page.
Overall Score | 3.7 |
---|---|
Component | client |
Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N |
If you wish to report a new security vulnerability in PostgreSQL, please send an email to [email protected].
For reporting non-security bugs, please see the Report a Bug page.