CVE-2024-10977

Name of the Vulnerable Software and Affected Versions: PostgreSQL versions prior to 17.1 PostgreSQL versions prior to 16.5 PostgreSQL versions prior to 15.9 PostgreSQL versions prior to 14.14 PostgreSQL versions prior to 13.17 PostgreSQL versions prior to 12.21

Description: The issue is related to the client use of server error messages in PostgreSQL, allowing a non-trusted server to provide arbitrary non-NUL bytes to the libpq application under current SSL or GSS settings. This could enable a man-in-the-middle attacker to send a long error message that could be mistaken for valid query results by a human or screen-scraper user of psql. However, this is likely not a concern for clients where the user interface clearly indicates the boundary between one error message and other text.

Recommendations: For versions prior to 17.1, update to PostgreSQL 17.1 or later. For versions prior to 16.5, update to PostgreSQL 16.5 or later. For versions prior to 15.9, update to PostgreSQL 15.9 or later. For versions prior to 14.14, update to PostgreSQL 14.14 or later. For versions prior to 13.17, update to PostgreSQL 13.17 or later. For versions prior to 12.21, update to PostgreSQL 12.21 or later.