Vulnerability Details : CVE-2015-5288
The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.
Vulnerability category: Denial of serviceInformation leak
Products affected by CVE-2015-5288
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.14:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.15:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.12:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.13:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.2.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.18:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.16:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.17:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.9:*:*:*:*:*:*:*
Threat overview for CVE-2015-5288
Top countries where our scanners detected CVE-2015-5288
Top open port discovered on systems with this issue
5432
IPs affected by CVE-2015-5288 101,948
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2015-5288!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2015-5288
2.81%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 90 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-5288
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:P |
10.0
|
4.9
|
NIST |
CWE ids for CVE-2015-5288
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-5288
-
http://www.debian.org/security/2015/dsa-3374
Debian -- Security Information -- DSA-3374-1 postgresql-9.4
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-November/172316.html
[SECURITY] Fedora 22 Update: postgresql-9.4.5-1.fc22
-
http://www.postgresql.org/docs/9.0/static/release-9-0-23.html
PostgreSQL: Documentation: 9.0: Release 9.0.23Vendor Advisory
-
http://www.securitytracker.com/id/1033775
PostgreSQL Bugs Let Remote Users Deny Service and May Let Remote Users Obtain Portions of Memory - SecurityTracker
-
http://www.securityfocus.com/bid/77049
PostgreSQL 'pgcrypto' Module CVE-2015-5288 Memory Corruption Vulnerability
-
http://www.postgresql.org/docs/9.2/static/release-9-2-14.html
PostgreSQL: Documentation: 9.2: Release 9.2.14Vendor Advisory
-
http://www.postgresql.org/docs/9.1/static/release-9-1-19.html
PostgreSQL: Documentation: 9.1: Release 9.1.19Vendor Advisory
-
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Oracle Linux Bulletin - October 2015
-
http://lists.opensuse.org/opensuse-updates/2015-11/msg00040.html
openSUSE-SU-2015:1919-1: moderate: Security update for postgresql92
-
http://www.debian.org/security/2016/dsa-3475
Debian -- Security Information -- DSA-3475-1 postgresql-9.1
-
https://security.gentoo.org/glsa/201701-33
PostgreSQL: Multiple vulnerabilities (GLSA 201701-33) — Gentoo security
-
http://www.ubuntu.com/usn/USN-2772-1
USN-2772-1: PostgreSQL vulnerabilities | Ubuntu security notices
-
http://www.postgresql.org/about/news/1615/
PostgreSQL: 2015-10-08 Security Update ReleaseVendor Advisory
-
http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169094.html
[SECURITY] Fedora 23 Update: postgresql-9.4.5-1.fc23
-
http://www.postgresql.org/docs/9.4/static/release-9-4-5.html
PostgreSQL: Documentation: 9.4: Release 9.4.5Vendor Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html
[security-announce] SUSE-SU-2016:0677-1: important: Security update for
-
http://www.postgresql.org/docs/9.3/static/release-9-3-10.html
PostgreSQL: Documentation: 9.3: Release 9.3.10Vendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2015-11/msg00033.html
openSUSE-SU-2015:1907-1: moderate: Security update for postgresql93
Jump to