CVE-2024-10977: PostgreSQL libpq retains an error message from man-in-the-middle
First published: Thu Nov 14 2024(Updated: )
Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.
Credit: f86ef6dc-4d3a-42ad-8f28-e6d5547a5007
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/postgresql-13 | <=13.16-0+deb11u1 | 13.18-0+deb11u1 |
| debian/postgresql-15 | <=15.8-0+deb12u1 | 15.10-0+deb12u1 |
| debian/postgresql-16 | <=16.4-3 | |
| debian/postgresql-17 | 17.2-1 | |
| PostgreSQL Common | >=12.0<12.21 | |
| PostgreSQL Common | >=13.0<13.17 | |
| PostgreSQL Common | >=14.0<14.14 | |
| PostgreSQL Common | >=15.0<15.9 | |
| PostgreSQL Common | >=16.0<16.5 | |
| PostgreSQL Common | =17.0 | |
| PostgreSQL Common | =17.0-beta1 | |
| PostgreSQL Common | =17.0-beta2 | |
| PostgreSQL Common | =17.0-beta3 | |
| PostgreSQL Common | =17.0-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.postgresql.org/support/security/CVE-2024-10977/
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10977
- https://nvd.nist.gov/vuln/detail/CVE-2024-10977
- https://launchpad.net/bugs/cve/CVE-2024-10977
- https://security-tracker.debian.org/tracker/CVE-2024-10977
- https://ubuntu.com/security/CVE-2024-10977
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a5cc4c66719be2ae1eebe92ad97727dc905bbc6d
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=67d28bd02ec06f5056754bc295f57d2dd2bbd749
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=d2c3e31c13a6820980c2c6019f0b8f9f0b63ae6e
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=e6c9454764d880ee30735aa8c1e05d3674722ff9
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7b49707b72612ef068ce9275b9b6da104f1960f3
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2a951ef0aace58026c31b9a88aeeda19c9af4205
Frequently Asked Questions
What is the severity of CVE-2024-10977?
CVE-2024-10977 has been classified with a high severity due to its potential for exploitation by a man-in-the-middle attacker.
How do I fix CVE-2024-10977?
To fix CVE-2024-10977, update to PostgreSQL version 13.18-0+deb11u1, 15.10-0+deb12u1, or 17.2-1.
Which versions of PostgreSQL are affected by CVE-2024-10977?
Affected PostgreSQL versions include 13.16-0+deb11u1 and earlier, 15.8-0+deb12u1 and earlier, and 16.4-3 and earlier.
What kind of attacks can CVE-2024-10977 facilitate?
CVE-2024-10977 can facilitate man-in-the-middle attacks that exploit server error messages to send arbitrary non-NUL bytes.
Is CVE-2024-10977 specific to a particular operating system?
CVE-2024-10977 is specifically noted for Debian packages of PostgreSQL.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/usn-cve
- source/Ubuntu
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/references
- agent/description
- agent/trending
- agent/source
- agent/severity
- agent/weakness
- agent/last-modified-date
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- package-manager/debian
- vendor/postgresql
- canonical/postgresql common
- version/postgresql common/12.0
- version/postgresql common/13.0
- version/postgresql common/14.0
- version/postgresql common/15.0
- version/postgresql common/16.0
- version/postgresql common/17.0
- version/postgresql common/17.0-beta1
- version/postgresql common/17.0-beta2
- version/postgresql common/17.0-beta3
- version/postgresql common/17.0-rc1