Vulnerability CVE-2022-41862

Vulnerability Name:

CVE-2022-41862 (CCN-248100)

Assigned:

2022-09-30

Published:

2023-02-09

Updated:

2023-04-27

Summary:

PostgreSQL could allow a remote attacker to obtain sensitive information, caused by a client memory disclosure flaw. By sending an unterminated string during the establishment of Kerberos transport encryption, an attacker could exploit this vulnerability to obtain sensitive information.

CVSS v3 Severity:

3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.7 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.2 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2022-41862

Source: secalert@redhat.com
Type: Issue Tracking, Third Party Advisory
secalert@redhat.com

Source: XF
Type: UNKNOWN
postgresql-cve202241862-info-disc(248100)

Source: secalert@redhat.com
Type: UNKNOWN
secalert@redhat.com

Source: CCN
Type: IBM Security Bulletin 6982413 (Watson Discovery)
IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in PostgreSQL

Source: CCN
Type: IBM Security Bulletin 6995589 (Spectrum Copy Data Management)
Vulnerabilities in Golang, Python, postgresql, cURL libcurl might affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 7005587 (Spectrum Protect Plus)
Vulnerabilities in cURL libcurl, PostgreSQL, PyPI cryptography, Node.js can affect IBM Spectrum Protect Plus

Source: CCN
Type: IBM Security Bulletin 7009295 (Sterling Connect:Direct Web Services)
IBM Connect:Direct Web Services vulnerable to sensitive information exposure due to PostgreSQL (CVE-2022-41862)

Source: CCN
Type: PostgreSQL Web site
Client memory disclosure when connecting, with Kerberos, to modified server

Source: secalert@redhat.com
Type: Vendor Advisory
secalert@redhat.com

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:postgresql:postgresql:15:beta1:*:*:*:*:*:*

AND

cpe:/a:ibm:spectrum_protect_plus:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_copy_data_management:2.2.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:7649	P	libpq5-15.3-150200.5.9.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:8089	P	postgresql14-14.8-150200.5.26.1 on GA media (Moderate)	2023-06-12
oval:com.redhat.rhsa:def:20231576	P	RHSA-2023:1576: postgresql:13 security update (Moderate)	2023-04-04

BACK