CVE-2015-0244

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.0.0 through 9.0.18 PostgreSQL versions 9.1.x before 9.1.15 PostgreSQL versions 9.2.x before 9.2.10 PostgreSQL versions 9.3.x before 9.3.6 PostgreSQL versions 9.4.x before 9.4.1

Description The issue arises from improper error handling while reading a protocol message, allowing remote attackers to conduct SQL injection attacks via crafted binary data in a parameter. This is achieved by causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message. This can be demonstrated by causing a timeout or query cancellation.

Recommendations For PostgreSQL versions 9.0.0 through 9.0.18, update to version 9.0.19 or later. For PostgreSQL versions 9.1.x before 9.1.15, update to version 9.1.15 or later. For PostgreSQL versions 9.2.x before 9.2.10, update to version 9.2.10 or later. For PostgreSQL versions 9.3.x before 9.3.6, update to version 9.3.6 or later. For PostgreSQL versions 9.4.x before 9.4.1, update to version 9.4.1 or later.