CVE-2022-41862

Public on 2023-02-19

Modified on 2024-02-10

Description

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

Severity

Low

See what this means

CVSS v3 Base Score

3.7

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Postgresql13 Extra	libpq			Pending Fix
Amazon Linux 2 - Postgresql12 Extra	libpq	2024-03-18	ALAS2POSTGRESQL12-2024-010	Fixed
Amazon Linux 2 - Postgresql14 Extra	libpq	2024-03-18	ALAS2POSTGRESQL14-2024-010	Fixed
Amazon Linux 2023	libpq			Pending Fix
Amazon Linux 2 - Core	postgresql			Not Affected
Amazon Linux 2 - Postgresql11 Extra	postgresql			Not Affected
Amazon Linux 2 - Postgresql12 Extra	postgresql	2023-09-25	ALAS2POSTGRESQL12-2023-001	Fixed
Amazon Linux 2 - Postgresql13 Extra	postgresql	2023-09-25	ALAS2POSTGRESQL13-2023-001	Fixed
Amazon Linux 2 - Postgresql14 Extra	postgresql	2023-09-25	ALAS2POSTGRESQL14-2023-001	Fixed
Amazon Linux 2023	postgresql15	2023-10-24	ALAS2023-2023-387	Fixed
Amazon Linux 1	postgresql92			Not Affected

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
NVD	CVSSv3	3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References

FAQs regarding Amazon Linux ALAS/CVE Severity Red Hat: CVE-2022-41862 Mitre: CVE-2022-41862