{ "threat_severity" : "Moderate", "public_date" : "2016-08-11T00:00:00Z", "bugzilla" : { "description" : "postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference", "id" : "1364001", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1364001" }, "cvss" : { "cvss_base_score" : "6.5", "cvss_scoring_vector" : "AV:N/AC:L/Au:S/C:P/I:P/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "8.5", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-822", "details" : [ "PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.", "A flaw was found in the way PostgreSQL server handled certain SQL statements containing CASE/WHEN commands. A remote, authenticated attacker could use a specially crafted SQL statement to cause PostgreSQL to crash or disclose a few bytes of server memory or possibly execute arbitrary code." ], "acknowledgement" : "Red Hat would like to thank the PostgreSQL project for reporting this issue. Upstream acknowledges Heikki Linnakangas as the original reporter.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-11-03T00:00:00Z", "advisory" : "RHSA-2016:2606", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "postgresql-0:9.2.18-1.el7" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "rh-postgresql95-0:2.2-3.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "rh-postgresql95-postgresql-0:9.5.7-2.el6" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-backend-0:2.3.3-53.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-postgresql-server-0:9.5-1.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-setup-postgresql-0:2.3.0-27.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-utils-0:2.3.2-32.el6sat" }, { "product_name" : "Red Hat Satellite 5.7", "release_date" : "2017-08-07T00:00:00Z", "advisory" : "RHSA-2017:2425", "cpe" : "cpe:/a:redhat:network_satellite:5.7::el6", "package" : "spacewalk-web-0:2.3.2-35.el6sat" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "postgresql92-postgresql-0:9.2.18-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "postgresql92-postgresql-0:9.2.18-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.6 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "postgresql92-postgresql-0:9.2.18-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el6", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "postgresql92-postgresql-0:9.2.18-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "postgresql92-postgresql-0:9.2.18-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.1 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date" : "2016-08-31T00:00:00Z", "advisory" : "RHSA-2016:1781", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql94-postgresql-0:9.4.9-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1820", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "postgresql92-postgresql-0:9.2.18-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.2 EUS", "release_date" : "2016-09-07T00:00:00Z", "advisory" : "RHSA-2016:1821", "cpe" : "cpe:/a:redhat:rhel_software_collections:2::el7", "package" : "rh-postgresql95-postgresql-0:9.5.4-1.el7" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "postgresql92-postgresql", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "postgresql84", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "postgresql", "cpe" : "cpe:/o:redhat:enterprise_linux:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-5423\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-5423" ], "name" : "CVE-2016-5423", "csaw" : false }