{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2015-10-08T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-06-30T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "77048", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/77048"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-10.html"}, {"name": "SUSE-SU-2016:0677", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-5.html"}, {"name": "USN-2772-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "http://www.ubuntu.com/usn/USN-2772-1"}, {"name": "GLSA-201701-33", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/201701-33"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "FEDORA-2015-6d2a957a87", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html"}, {"name": "openSUSE-SU-2015:1907", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=08fa47c4850cea32c3116665975bca219fbf2fe6"}, {"name": "FEDORA-2015-7fac92f49c", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.postgresql.org/about/news/1615/"}, {"name": "DSA-3374", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2015/dsa-3374"}, {"name": "1033775", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1033775"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2015-5289", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "77048", "refsource": "BID", "url": "http://www.securityfocus.com/bid/77048"}, {"name": "http://www.postgresql.org/docs/9.3/static/release-9-3-10.html", "refsource": "CONFIRM", "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-10.html"}, {"name": "SUSE-SU-2016:0677", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html"}, {"name": "http://www.postgresql.org/docs/9.4/static/release-9-4-5.html", "refsource": "CONFIRM", "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-5.html"}, {"name": "USN-2772-1", "refsource": "UBUNTU", "url": "http://www.ubuntu.com/usn/USN-2772-1"}, {"name": "GLSA-201701-33", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/201701-33"}, {"name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "FEDORA-2015-6d2a957a87", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html"}, {"name": "openSUSE-SU-2015:1907", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html"}, {"name": "http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=08fa47c4850cea32c3116665975bca219fbf2fe6", "refsource": "CONFIRM", "url": "http://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=08fa47c4850cea32c3116665975bca219fbf2fe6"}, {"name": "FEDORA-2015-7fac92f49c", "refsource": "FEDORA", "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html"}, {"name": "http://www.postgresql.org/about/news/1615/", "refsource": "CONFIRM", "url": "http://www.postgresql.org/about/news/1615/"}, {"name": "DSA-3374", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2015/dsa-3374"}, {"name": "1033775", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1033775"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T06:41:09.255Z"}, "title": "CVE Program Container", "references": [{"name": "77048", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/77048"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-10.html"}, {"name": "SUSE-SU-2016:0677", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-5.html"}, {"name": "USN-2772-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU", "x_transferred"], "url": "http://www.ubuntu.com/usn/USN-2772-1"}, {"name": "GLSA-201701-33", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/201701-33"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"name": "FEDORA-2015-6d2a957a87", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html"}, {"name": "openSUSE-SU-2015:1907", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=08fa47c4850cea32c3116665975bca219fbf2fe6"}, {"name": "FEDORA-2015-7fac92f49c", "tags": ["vendor-advisory", "x_refsource_FEDORA", "x_transferred"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.postgresql.org/about/news/1615/"}, {"name": "DSA-3374", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2015/dsa-3374"}, {"name": "1033775", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id/1033775"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2015-5289", "datePublished": "2015-10-26T14:00:00", "dateReserved": "2015-07-01T00:00:00", "dateUpdated": "2024-08-06T06:41:09.255Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF2F8DD0-FC2E-4145-81EA-B33A384AB636", "versionEndExcluding": "9.3.10", "versionStartIncluding": "9.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*", "matchCriteriaId": "71005102-9FE9-44DE-9B8A-84C48692D109", "versionEndExcluding": "9.4.5", "versionStartIncluding": "9.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*", "matchCriteriaId": "CB66DB75-2B16-4EBF-9B93-CE49D8086E41", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:15.04:*:*:*:*:*:*:*", "matchCriteriaId": "F38D3B7E-8429-473F-BB31-FC3583EE5A5B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values."}, {"lang": "es", "value": "M\u00faltiple desbordamiento de buffer basado en pila en el an\u00e1lisis gramatical de json en PostgreSQL en versiones anteriores a 9.3.x en versiones anteriores a 9.3.10 y 9.4.x en versiones anteriores a 9.4.5 permite a atacantes provocar una denegaci\u00f3n de servicio (ca\u00edda del servidor) a trav\u00e9s de vectores no especificados, los cuales no son manejados adecuadamente en valores (1) json o (2) jsonb."}], "id": "CVE-2015-5289", "lastModified": "2023-11-07T02:26:07.873", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2015-10-26T14:59:02.950", "references": [{"source": "secalert@redhat.com", "url": "http://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=08fa47c4850cea32c3116665975bca219fbf2fe6"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2015/dsa-3374"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/about/news/1615/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.3/static/release-9-3-10.html"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "http://www.postgresql.org/docs/9.4/static/release-9-4-5.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/77048"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1033775"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.ubuntu.com/usn/USN-2772-1"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/201701-33"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2015:2078", "cpe": "cpe:/o:redhat:enterprise_linux:7", "package": "postgresql-0:9.2.14-1.ael7b_1", "product_name": "Red Hat Enterprise Linux 7", "release_date": "2015-11-19T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.14-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.14-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.5 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.14-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el6", "package": "postgresql92-postgresql-0:9.2.14-1.el6", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2077", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "rh-postgresql94-postgresql-0:9.4.5-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-11-18T00:00:00Z"}, {"advisory": "RHSA-2015:2083", "cpe": "cpe:/a:redhat:rhel_software_collections:2::el7", "package": "postgresql92-postgresql-0:9.2.14-1.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date": "2015-11-18T00:00:00Z"}], "bugzilla": {"description": "postgresql: stack overflow DoS when parsing json or jsonb inputs", "id": "1270312", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1270312"}, "csaw": false, "cvss": {"cvss_base_score": "4.3", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "status": "verified"}, "cwe": "CWE-131->CWE-674", "details": ["Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.", "A stack overflow flaw was discovered in the way the PostgreSQL core server processed certain JSON or JSONB input. An authenticated attacker could possibly use this flaw to crash the server backend by sending specially crafted JSON or JSONB input."], "name": "CVE-2015-5289", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Not affected", "package_name": "postgresql84", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1", "fix_state": "Not affected", "package_name": "postgresql", "product_name": "Red Hat JBoss Enterprise Web Server 1"}, {"cpe": "cpe:/a:redhat:network_satellite:5.7", "fix_state": "Affected", "package_name": "postgresql92-postgresql", "product_name": "Red Hat Satellite 5.7"}], "public_date": "2015-10-08T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-5289\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-5289\nhttp://www.postgresql.org/about/news/1615/"], "threat_severity": "Moderate", "upstream_fix": "postgresql 9.4.5, postgresql 9.3.10, postgresql 9.2.14, postgresql 9.1.19, postgresql 9.0.23"}