CVE-2015-5288

MEDIUM severity · CVSS 6.4 · Information disclosure

6.4CVSS MEDIUM

Summary

The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges required—

User interaction—

Confidentiality impact—

Integrity impactNone

Availability impact—

Exploit probability (EPSS)9%

AV:N/AC:L/Au:N/C:P/I:N/A:P

Affected products we track (1)

PostgreSQL

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html
http://lists.opensuse.org/opensuse-updates/2015-11/msg00040.html
http://www.debian.org/security/2015/dsa-3374
http://www.debian.org/security/2016/dsa-3475
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html