CVE-2015-3167

HIGH severity · CVSS 7.5 · Information disclosure

7.5CVSS HIGH

Summary

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredNone

User interactionNone

Confidentiality impactHigh

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)2%

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products we track (1)

PostgreSQL

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

Additional information

NVD record
http://www.postgresql.org/about/news/1587/Advisory
http://www.postgresql.org/docs/9.0/static/release-9-0-20.htmlAdvisory
http://www.postgresql.org/docs/9.1/static/release-9-1-16.htmlAdvisory
http://www.postgresql.org/docs/9.2/static/release-9-2-11.htmlAdvisory
http://www.postgresql.org/docs/9.3/static/release-9-3-7.htmlAdvisory
http://ubuntu.com/usn/usn-2621-1Advisory
http://www.debian.org/security/2015/dsa-3269Advisory
http://www.debian.org/security/2015/dsa-3270Advisory