{"containers": {"cna": {"affected": [{"product": "PostgreSQL", "vendor": "PostgreSQL Global Development Group", "versions": [{"status": "affected", "version": "before 9.0.20"}, {"status": "affected", "version": "9.1.x before 9.1.16"}, {"status": "affected", "version": "9.2.x before 9.2.11"}, {"status": "affected", "version": "9.3.x before 9.3.7"}, {"status": "affected", "version": "and 9.4.x before 9.4.2"}]}], "datePublic": "2015-05-22T00:00:00", "descriptions": [{"lang": "en", "value": "contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack."}], "problemTypes": [{"descriptions": [{"description": "Other", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-20T20:50:14", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/about/news/1587/"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"tags": ["x_refsource_MISC"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"tags": ["x_refsource_MISC"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"tags": ["x_refsource_MISC"], "url": "http://ubuntu.com/usn/usn-2621-1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-3167", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PostgreSQL", "version": {"version_data": [{"version_value": "before 9.0.20"}, {"version_value": "9.1.x before 9.1.16"}, {"version_value": "9.2.x before 9.2.11"}, {"version_value": "9.3.x before 9.3.7"}, {"version_value": "and 9.4.x before 9.4.2"}]}}]}, "vendor_name": "PostgreSQL Global Development Group"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Other"}]}]}, "references": {"reference_data": [{"name": "http://www.postgresql.org/about/news/1587/", "refsource": "MISC", "url": "http://www.postgresql.org/about/news/1587/"}, {"name": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"name": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"name": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"name": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"name": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html", "refsource": "MISC", "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"name": "http://www.debian.org/security/2015/dsa-3269", "refsource": "MISC", "url": "http://www.debian.org/security/2015/dsa-3269"}, {"name": "http://www.debian.org/security/2015/dsa-3270", "refsource": "MISC", "url": "http://www.debian.org/security/2015/dsa-3270"}, {"name": "http://ubuntu.com/usn/usn-2621-1", "refsource": "MISC", "url": "http://ubuntu.com/usn/usn-2621-1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T05:39:31.906Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/about/news/1587/"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ubuntu.com/usn/usn-2621-1"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-3167", "datePublished": "2019-11-20T20:50:14", "dateReserved": "2015-04-10T00:00:00", "dateUpdated": "2024-08-06T05:39:31.906Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "21D435C2-4D3A-447E-A8A5-66CC6925C105", "versionEndExcluding": "9.0.20", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "25EBF3A0-EC2E-4B96-8CC4-82AD2F0B9E67", "versionEndExcluding": "9.1.16", "versionStartIncluding": "9.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "220353A0-CF8E-45B7-9C4F-940310C4C34F", "versionEndExcluding": "9.2.11", "versionStartIncluding": "9.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "0A08DED3-2C75-4953-99D0-4CF86C6AF091", "versionEndExcluding": "9.3.7", "versionStartIncluding": "9.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "9C830AA7-9F35-41C5-930B-A5BEFDCB3864", "versionEndExcluding": "9.4.2", "versionStartIncluding": "9.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B6B7CAD7-9D4E-4FDB-88E3-1E583210A01F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.10:*:*:*:*:*:*:*", "matchCriteriaId": "49A63F39-30BE-443F-AF10-6245587D3359", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack."}, {"lang": "es", "value": "contrib/pgcrypto en PostgreSQL versiones anteriores a 9.0.20, versiones 9.1.x anteriores a 9.1.16, versiones 9.2.x anteriores a 9.2.11, versiones 9.3.x anteriores a 9.3.7 y versiones 9.4.x anteriores a 9.4.2, utiliza diferentes respuestas de error cuando una clave incorrecta se usada, lo que facilita a atacantes obtener la clave por medio de un ataque de fuerza bruta."}], "id": "CVE-2015-3167", "lastModified": "2019-11-22T15:18:57.997", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-20T21:15:11.523", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://ubuntu.com/usn/usn-2621-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3269"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3270"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/about/news/1587/"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.0/static/release-9-0-20.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.1/static/release-9-1-16.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.2/static/release-9-2-11.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-7.html"}, {"source": "secalert@redhat.com", "tags": ["Release Notes", "Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-2.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank PostgreSQL project for reporting this issue. Upstream acknowledges Noah Misch as the original reporter.", "affected_release": [{"advisory": "RHSA-2015:1194", "cpe": "cpe:/o:redhat:enterprise_linux:6", "package": "postgresql-0:8.4.20-3.el6_6", "product_name": "Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1194", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "postgresql-0:9.2.13-1.el7_1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.13-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1195", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.13-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-06-29T00:00:00Z"}, {"advisory": "RHSA-2015:1196", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.4-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-06-29T00:00:00Z"}], "bugzilla": {"description": "postgresql: pgcrypto has multiple error messages for decryption with an incorrect key.", "id": "1221541", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1221541"}, "csaw": false, "cvss": {"cvss_base_score": "2.6", "cvss_scoring_vector": "AV:N/AC:H/Au:N/C:P/I:N/A:N", "status": "verified"}, "cwe": "CWE-209", "details": ["contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.", "It was discovered that the pgcrypto module could return different error messages when decrypting certain data with an incorrect key. This could potentially help an authenticated user to launch a possible cryptographic attack, although no suitable attack is currently known."], "name": "CVE-2015-3167", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Affected", "package_name": "postgresql", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Affected", "package_name": "postgresql92-postgresql", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Affected", "package_name": "postgresql84", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/a:redhat:network_satellite:5.7", "fix_state": "Affected", "package_name": "postgresql92", "product_name": "Red Hat Satellite 5.7"}], "public_date": "2015-05-22T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-3167\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-3167"], "statement": "Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This flaw has been rated as having Low security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.", "threat_severity": "Low", "upstream_fix": "postgresql 9.4.2, postgresql 9.3.7, postgresql 9.2.11, postgresql 9.1.16, postgresql 9.0.20"}