CVE-2015-3167

high

Description

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.

References

Advisories
More

http://www.debian.org/security/2015/dsa-3270

http://www.debian.org/security/2015/dsa-3269

http://ubuntu.com/usn/usn-2621-1

http://www.postgresql.org/docs/9.4/static/release-9-4-2.html

http://www.postgresql.org/docs/9.3/static/release-9-3-7.html

http://www.postgresql.org/docs/9.2/static/release-9-2-11.html

http://www.postgresql.org/docs/9.1/static/release-9-1-16.html

http://www.postgresql.org/docs/9.0/static/release-9-0-20.html

http://www.postgresql.org/about/news/1587/

Details

Source: Mitre, NVD

Published: 2019-11-20

Updated: 2019-11-22

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: High

EPSS

EPSS: 0.01681