CVE-2022-41862

CVE-2022-41862

Name

CVE-2022-41862

Description

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

NVD Severity

unknown

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
MISC	https://www.postgresql.org/support/security/CVE-2022-41862/
MISC	https://bugzilla.redhat.com/show_bug.cgi?id=2165722
CONFIRM	https://security.netapp.com/advisory/ntap-20230427-0002/

Type

URI

MISC

https://www.postgresql.org/support/security/CVE-2022-41862/

MISC

https://bugzilla.redhat.com/show_bug.cgi?id=2165722

CONFIRM

https://security.netapp.com/advisory/ntap-20230427-0002/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 15.0	< 15.2
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 14.0	< 14.7
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 13.0	< 13.10
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 12.0	< 12.14

CPE URI

Source package

Min version

Max version

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

postgresql

>= 15.0

< 15.2

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

postgresql

>= 14.0

< 14.7

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

postgresql

>= 13.0

< 13.10

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

postgresql

>= 12.0

< 12.14

Vulnerable and fixed packages

Source package	Branch	Version	Maintainer	Status
postgresql15	edge-main	15.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql15	edge-community	15.2-r0	None	fixed
postgresql15	3.22-community	15.2-r0	None	fixed
postgresql15	3.21-community	15.2-r0	None	fixed
postgresql15	3.20-main	15.2-r0	None	fixed
postgresql15	3.19-main	15.2-r0	None	fixed
postgresql15	3.18-main	15.2-r0	None	fixed
postgresql15	3.17-main	15.2-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	edge-main	14.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql14	edge-community	14.7-r0	None	fixed
postgresql14	3.20-community	14.7-r0	None	fixed
postgresql14	3.19-community	14.7-r0	None	fixed
postgresql14	3.18-main	14.7-r0	None	fixed
postgresql14	3.17-main	14.7-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql13	edge-community	13.10-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql13	3.19-community	13.10-r0	None	fixed
postgresql13	3.18-community	13.10-r0	None	fixed
postgresql13	3.17-community	13.10-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql12	edge-community	12.14-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql12	3.18-community	12.14-r0	None	fixed
postgresql12	3.17-community	12.14-r0	Jakub Jirutka <jakub@jirutka.cz>	fixed
postgresql	edge-main	14.1-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.4-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.3-r0	Jakub Jirutka <jakub@jirutka.cz>	possibly vulnerable
postgresql	edge-main	13.2-r0	None	possibly vulnerable
postgresql	edge-main	12.5-r0	None	possibly vulnerable
postgresql	edge-main	12.4-r0	None	possibly vulnerable
postgresql	edge-main	12.2-r0	None	possibly vulnerable

Source package

Branch

Version

Maintainer

Status

postgresql15

edge-main

15.2-r0

Jakub Jirutka <jakub@jirutka.cz>

fixed

postgresql15

edge-community