Information Exposure Through an Error Message in PostgreSQL

#VU30418 Information Exposure Through an Error Message in PostgreSQL

Published: 2020-01-27 | Updated: 2020-07-17

Vulnerability identifier: #VU30418

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2014-8161

CWE-ID: CWE-209

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 9.4.0

External links
http://www.debian.org/security/2015/dsa-3155
http://www.postgresql.org/about/news/1569/
http://www.postgresql.org/docs/9.4/static/release-9-4-1.html
http://www.postgresql.org/docs/current/static/release-9-0-19.html
http://www.postgresql.org/docs/current/static/release-9-1-15.html
http://www.postgresql.org/docs/current/static/release-9-2-10.html
http://www.postgresql.org/docs/current/static/release-9-3-6.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Arch Linux update for postgresql

Multiple vulnerabilities in PostgreSQL

Gentoo update for PostgreSQL

Amazon Linux AMI update for postgresql8

Amazon Linux AMI update for postgresql92