{ "threat_severity" : "Moderate", "public_date" : "2015-02-05T00:00:00Z", "bugzilla" : { "description" : "postgresql: information leak through constraint violation errors", "id" : "1182043", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1182043" }, "cvss" : { "cvss_base_score" : "3.5", "cvss_scoring_vector" : "AV:N/AC:M/Au:S/C:P/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-662->CWE-300", "details" : [ "PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.", "An information leak flaw was found in the wathe PostgreSQL database server handled certain error messages. An authenticated database user could possibly obtain the results of a query they did not have privileges to execute by observing the constraint violation error messages produced when the query was executed." ], "acknowledgement" : "Red Hat would like to thank PostgreSQL project for reporting this issue. Upstream acknowledges Stephen Frost as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2015-03-30T00:00:00Z", "advisory" : "RHSA-2015:0750", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "postgresql-0:8.4.20-2.el6_6" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2015-03-30T00:00:00Z", "advisory" : "RHSA-2015:0750", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "postgresql-0:9.2.10-2.ael7b_1" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2015-04-20T00:00:00Z", "advisory" : "RHSA-2015:0856", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "postgresql92-postgresql-0:9.2.10-2.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6", "release_date" : "2015-03-18T00:00:00Z", "advisory" : "RHSA-2015:0699", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "postgresql92-postgresql-0:9.2.10-2.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS", "release_date" : "2015-03-18T00:00:00Z", "advisory" : "RHSA-2015:0699", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "postgresql92-postgresql-0:9.2.10-2.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS", "release_date" : "2015-03-18T00:00:00Z", "advisory" : "RHSA-2015:0699", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6", "package" : "postgresql92-postgresql-0:9.2.10-2.el6" }, { "product_name" : "Red Hat Software Collections 1 for Red Hat Enterprise Linux 7", "release_date" : "2015-03-18T00:00:00Z", "advisory" : "RHSA-2015:0699", "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el7", "package" : "postgresql92-postgresql-0:9.2.10-1.el7" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Will not fix", "package_name" : "postgresql92-postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql84", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Affected", "package_name" : "rh-postgresql94-postgresql", "cpe" : "cpe:/a:redhat:rhel_software_collections:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-8161\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-8161\nhttp://www.postgresql.org/about/news/1569/" ], "name" : "CVE-2014-8161", "csaw" : false }