2326258 – (CVE-2024-10977) CVE-2024-10977 postgresql: PostgreSQL libpq retains an error message from man-in-the-middle

Bug 2326258 (CVE-2024-10977) - CVE-2024-10977 postgresql: PostgreSQL libpq retains an error message from man-in-the-middle

Summary: CVE-2024-10977 postgresql: PostgreSQL libpq retains an error message from man...

Keywords:
Status:	NEW
Alias:	CVE-2024-10977
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2326459 2326460 2326461 2326462 2326463 2326464 2326456 2326457 2326458
Blocks:
TreeView+	depends on / blocked

Reported:	2024-11-14 14:01 UTC by OSIDB Bzimport
Modified:	2024-11-18 07:56 UTC (History)
CC List:	0 users
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2024-11-14 14:01:56 UTC

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application.  For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results.  This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text.  Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Note You need to log in before you can comment on or make changes to this bug.