Description
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_misc
http://www.postgresql.org/about/news/1587/
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.0/static/release-9-0-20.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.1/static/release-9-1-16.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.2/static/release-9-2-11.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.3/static/release-9-3-7.html
Release Notes, Vendor Advisory x_refsource_misc
http://www.postgresql.org/docs/9.4/static/release-9-4-2.html
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2015/dsa-3269
Third Party Advisory x_refsource_misc
http://www.debian.org/security/2015/dsa-3270
Third Party Advisory x_refsource_misc
http://ubuntu.com/usn/usn-2621-1
Scores
CVSS v3
7.5
EPSS
0.0181
EPSS Percentile
83.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (8)
canonical/ubuntu_linux
12.04
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
14.10
canonical/ubuntu_linux
15.04
debian/debian_linux
7.0
debian/debian_linux
8.0
debian/debian_linux
9.0
postgresql/postgresql
< 9.0.20
Published
Nov 20, 2019
Tracked Since
Feb 18, 2026