Description
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_misc
http://www.postgresql.org/about/news/1587/
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.0/static/release-9-0-20.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.1/static/release-9-1-16.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.2/static/release-9-2-11.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.3/static/release-9-3-7.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.4/static/release-9-4-2.html
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2015/dsa-3269
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2015/dsa-3270
Third Party Advisory x_refsource_misc
http://ubuntu.com/usn/usn-2621-1
Scores
CVSS v3
9.8
EPSS
0.0539
EPSS Percentile
90.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-119
Status
published
Products (8)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
14.10
canonical/ubuntu_linux
15.04
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
postgresql/postgresql
< 9.0.20
Published
Nov 20, 2019
Tracked Since
Feb 18, 2026