{"containers": {"cna": {"affected": [{"product": "PostgreSQL", "vendor": "PostgreSQL Global Development Group", "versions": [{"status": "affected", "version": "before 9.0.20"}, {"status": "affected", "version": "9.1.x before 9.1.16"}, {"status": "affected", "version": "9.2.x before 9.2.11"}, {"status": "affected", "version": "9.3.x before 9.3.7"}, {"status": "affected", "version": "and 9.4.x before 9.4.2"}]}], "datePublic": "2015-05-22T00:00:00", "descriptions": [{"lang": "en", "value": "The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-20T20:50:16", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/about/news/1587/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"tags": ["x_refsource_MISC"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"tags": ["x_refsource_MISC"], "url": "http://ubuntu.com/usn/usn-2621-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-3166", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PostgreSQL", "version": {"version_data": [{"version_value": "before 9.0.20"}, {"version_value": "9.1.x before 9.1.16"}, {"version_value": "9.2.x before 9.2.11"}, {"version_value": "9.3.x before 9.3.7"}, {"version_value": "and 9.4.x before 9.4.2"}]}}]}, "vendor_name": "PostgreSQL Global Development Group"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "http://www.postgresql.org/about/news/1587/", "refsource": "MISC", "url": "http://www.postgresql.org/about/news/1587/"}, {"name": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"name": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"name": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"name": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"name": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"name": "http://www.debian.org/security/2015/dsa-3269", "refsource": "MISC", "url": "http://www.debian.org/security/2015/dsa-3269"}, {"name": "http://www.debian.org/security/2015/dsa-3270", "refsource": "MISC", "url": "http://www.debian.org/security/2015/dsa-3270"}, {"name": "http://ubuntu.com/usn/usn-2621-1", "refsource": "MISC", "url": "http://ubuntu.com/usn/usn-2621-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:39:31.938Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/about/news/1587/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ubuntu.com/usn/usn-2621-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3166", "datePublished": "2019-11-20T20:50:16", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2024-08-06T05:39:31.938Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "21D435C2-4D3A-447E-A8A5-66CC6925C105", "versionEndExcluding": "9.0.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "25EBF3A0-EC2E-4B96-8CC4-82AD2F0B9E67", "versionEndExcluding": "9.1.16", "versionStartIncluding": "9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "220353A0-CF8E-45B7-9C4F-940310C4C34F", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A08DED3-2C75-4953-99D0-4CF86C6AF091", "versionEndExcluding": "9.3.7", "versionStartIncluding": "9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C830AA7-9F35-41C5-930B-A5BEFDCB3864", "versionEndExcluding": "9.4.2", "versionStartIncluding": "9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "matchCriteriaId": "49A63F39-30BE-443F-AF10-6245587D3359", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error."}, {"lang": "es", "value": "La implementaci\u00f3n de snprintf en PostgreSQL versiones anteriores a 9.0.20, versiones 9.1.x anteriores a 9.1.16, versiones 9.2.x anteriores a 9.2.11, versiones 9.3.x anteriores a 9.3.7 y versiones 9.4.x anteriores a 9.4.2, no maneja apropiadamente los errores de llamadas al sistema , lo que permite a atacantes obtener informaci\u00f3n confidencial o tener otro impacto no especificado por medio de vectores desconocidos, como es demostrado por un error fuera de la memoria."}], "id": "CVE-2015-3166", "lastModified": "2024-11-21T02:28:48.780", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-20T21:15:11.413", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://ubuntu.com/usn/usn-2621-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/about/news/1587/"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://ubuntu.com/usn/usn-2621-1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/about/news/1587/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank PostgreSQL project for reporting this issue. Upstream acknowledges Noah Misch as the original reporter.", "affected_release": [{"advisory": "RHSA-2015:1194", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "postgresql-0:8.4.20-3.el6_6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1194", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "postgresql-0:9.2.13-1.el7_1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-06-29T00:00:00Z"}], "bugzilla": {"description": "postgresql: unanticipated errors from the standard library", "id": "1221539", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221539"}, "csaw": false, "cvss": {"cvss_base_score": "4.0", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:P", "status": "verified"}, "cwe": "CWE-391", "details": ["The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.", "It was discovered that PostgreSQL did not properly check the return values of certain standard library functions. If the system was in a state that would cause the standard library functions to fail (for example, memory exhaustion), an authenticated user could possibly exploit this flaw to disclose partial memory contents or cause the GSSAPI authentication to use an incorrect keytab file."], "name": "CVE-2015-3166", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Affected", "package_name": "postgresql", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Affected", "package_name": "postgresql92-postgresql", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Affected", "package_name": "postgresql84", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/a:redhat:network_satellite:5.7", "fix_state": "Affected", "package_name": "postgresql92", "product_name": "Red Hat Satellite 5.7"}], "public_date": "2015-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-3166\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3166"], "statement": "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This flaw has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Low"}

{}