CVE-2017-15098
HIGHPostgreSQL 9.3.x-9.6.x < 10.1 - Memory Disclosure via json_populate_recordset
Title source: llmDescription
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
References (8)
Core 8
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/101781
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4027
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2511
Issue Tracking, Vendor Advisory x_refsource_misc
https://www.postgresql.org/support/security/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039752
Issue Tracking, Vendor Advisory x_refsource_confirm
https://www.postgresql.org/about/news/1801/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:2566
Issue Tracking, Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4028
Scores
CVSS v3
8.1
EPSS
0.0086
EPSS Percentile
75.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
Details
CWE
CWE-200
Status
published
Products (50)
debian/debian_linux
8.0
postgresql/postgresql
9.3
postgresql/postgresql
9.3.1
postgresql/postgresql
9.3.2
postgresql/postgresql
9.3.3
postgresql/postgresql
9.3.4
postgresql/postgresql
9.3.5
postgresql/postgresql
9.3.6
postgresql/postgresql
9.3.7
postgresql/postgresql
9.3.8
... and 40 more
Published
Nov 22, 2017
Tracked Since
Feb 18, 2026