Overview
- Description
- Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
- Source
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- NVD status
- Awaiting Analysis
Risk scores
CVSS 3.1
- Type
- Secondary
- Base score
- 3.1
- Impact score
- 1.4
- Exploitability score
- 1.6
- Vector string
- CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
- Severity
- LOW
Weaknesses
- f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
- CWE-348
Social media
- Hype score
- Not currently trending
CVE-2024-10977 PostgreSQL Client Exploit via Error Message Manipulation in SSL/GSS A vulnerability exists in PostgreSQL's handling of server error messages. This issue impacts versions before PostgreSQL 17.1, 16.... https://t.co/tnoWFLbu6S
@VulmonFeeds
14 Nov 2024
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2024-10977 Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq applica… https://t.co/KFrOmnGldD
@CVEnew
14 Nov 2024
124 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes