CVE-2017-15098

high-risk

Published 2017-11-22

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.

Do I need to act?

0.86% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.1/10 High

NETWORK / LOW complexity

Affected Products (20)

Postgresql

Affected Vendors

Debian Postgresql

References (16)

Third Party Advisory http://www.securityfocus.com/bid/101781

Third Party Advisory http://www.securitytracker.com/id/1039752

https://access.redhat.com/errata/RHSA-2018:2511

https://access.redhat.com/errata/RHSA-2018:2566

Issue Tracking https://www.debian.org/security/2017/dsa-4027

Issue Tracking https://www.debian.org/security/2017/dsa-4028

Issue Tracking https://www.postgresql.org/about/news/1801/

Issue Tracking https://www.postgresql.org/support/security/

Third Party Advisory http://www.securityfocus.com/bid/101781

Third Party Advisory http://www.securitytracker.com/id/1039752

https://access.redhat.com/errata/RHSA-2018:2511

https://access.redhat.com/errata/RHSA-2018:2566

Issue Tracking https://www.debian.org/security/2017/dsa-4027

Issue Tracking https://www.debian.org/security/2017/dsa-4028

Issue Tracking https://www.postgresql.org/about/news/1801/

Issue Tracking https://www.postgresql.org/support/security/

/ 100

high-risk

Severity 28/34 · Critical

Exploitability 3/34 · Minimal

Exposure 26/34 · High