CVE-2017-15098

HIGH
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.

References

http://www.securityfocus.com/bid/101781

http://www.securitytracker.com/id/1039752

https://access.redhat.com/errata/RHSA-2018:2511

https://access.redhat.com/errata/RHSA-2018:2566

https://www.debian.org/security/2017/dsa-4027

https://www.debian.org/security/2017/dsa-4028

https://www.postgresql.org/about/news/1801/

https://www.postgresql.org/support/security/

Details

Source: MITRE

Published: 2017-11-22

Updated: 2018-08-28

Type: CWE-200

Risk Information

CVSS v2

Base Score: 5.5

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:P

Impact Score: 4.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Impact Score: 5.2

Exploitability Score: 2.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:9.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.3.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.4.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.5.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.6.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:10:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Tenable Plugins

View all (15 total)

IDNameProductFamilySeverity
111897Photon OS 1.0: Curl / Glibc PHSA-2017-0048 (deprecated)NessusPhotonOS Local Security Checks
medium
108520Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838)NessusJunos Local Security Checks
critical
106965openSUSE Security Update : postgresql95 (openSUSE-2018-204)NessusSuSE Local Security Checks
critical
106067openSUSE Security Update : postgresql94 (openSUSE-2018-38)NessusSuSE Local Security Checks
high
106049SUSE SLED12 / SLES12 Security Update : postgresql94 (SUSE-SU-2018:0081-1)NessusSuSE Local Security Checks
high
106047SUSE SLES11 Security Update : postgresql94 (SUSE-SU-2018:0077-1)NessusSuSE Local Security Checks
high
105458SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2017:3391-1)NessusSuSE Local Security Checks
high
105454openSUSE Security Update : postgresql96 (openSUSE-2017-1411)NessusSuSE Local Security Checks
high
105055Amazon Linux AMI : postgresql92 / postgresql93,postgresql94 (ALAS-2017-931)NessusAmazon Linux Local Security Checks
high
105054Amazon Linux AMI : postgresql95 / postgresql96 (ALAS-2017-930)NessusAmazon Linux Local Security Checks
high
104574PostgreSQL 9.2.x < 9.2.24 / 9.3.x < 9.3.20 / 9.4.x < 9.4.15 / 9.5.x < 9.5.10 / 9.6.x < 9.6.6 / 10.x < 10.1 Multiple VulnerabilitiesNessusDatabases
medium
104569Ubuntu 14.04 LTS / 16.04 LTS / 17.04 / 17.10 : postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities (USN-3479-1)NessusUbuntu Local Security Checks
high
104489FreeBSD : PostgreSQL vulnerabilities (1f02af5d-c566-11e7-a12d-6cc21735f730)NessusFreeBSD Local Security Checks
high
104484Debian DSA-4028-1 : postgresql-9.6 - security updateNessusDebian Local Security Checks
high
104483Debian DSA-4027-1 : postgresql-9.4 - security updateNessusDebian Local Security Checks
high