CVE-2015-3167: Infoleak
First published: Wed Nov 20 2019(Updated: )
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL PostgreSQL | <9.0.20 | |
| PostgreSQL PostgreSQL | >=9.1<9.1.16 | |
| PostgreSQL PostgreSQL | >=9.2<9.2.11 | |
| PostgreSQL PostgreSQL | >=9.3<9.3.7 | |
| PostgreSQL PostgreSQL | >=9.4<9.4.2 | |
| Debian Debian Linux | =7.0 | |
| Debian Debian Linux | =8.0 | |
| Debian Debian Linux | =9.0 | |
| Canonical Ubuntu Linux | =12.04 | |
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =14.10 | |
| Canonical Ubuntu Linux | =15.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://ubuntu.com/usn/usn-2621-1
- http://www.debian.org/security/2015/dsa-3269
- http://www.debian.org/security/2015/dsa-3270
- http://www.postgresql.org/about/news/1587/
- http://www.postgresql.org/docs/9.0/static/release-9-0-20.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-16.html
- http://www.postgresql.org/docs/9.2/static/release-9-2-11.html
- http://www.postgresql.org/docs/9.3/static/release-9-3-7.html
- http://www.postgresql.org/docs/9.4/static/release-9-4-2.html
Frequently Asked Questions
What is CVE-2015-3167?
CVE-2015-3167 is a vulnerability in PostgreSQL versions before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 that allows attackers to obtain encryption keys via a brute force attack.
What is the severity of CVE-2015-3167?
The severity of CVE-2015-3167 is high, with a CVSS score of 7.5.
How can I fix CVE-2015-3167?
To fix CVE-2015-3167, you should update your PostgreSQL installation to version 9.0.20, 9.1.16, 9.2.11, 9.3.7, or 9.4.2.
Is there any reference for CVE-2015-3167?
Yes, you can find more information about CVE-2015-3167 in the following references: http://ubuntu.com/usn/usn-2621-1, http://www.debian.org/security/2015/dsa-3269, http://www.debian.org/security/2015/dsa-3270.
What is the Common Weakness Enumeration (CWE) ID for CVE-2015-3167?
The CWE ID for CVE-2015-3167 is CWE-200.
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/description
- agent/event
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.1
- version/postgresql postgresql/9.2
- version/postgresql postgresql/9.3
- version/postgresql postgresql/9.4
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- version/debian debian linux/8.0
- version/debian debian linux/9.0
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/12.04
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/14.10
- version/canonical ubuntu linux/15.04