CVE-2022-41862

Description

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

How to fix CVE-2022-41862

To remediate CVE-2022-41862, upgrade the affected package to a fixed version below.

• Alpine/postgresql—upgrade to 13.11-r0 or later
• —upgrade to 13.10-r0 or later
• —upgrade to 14.7-r0 or later
• —upgrade to 15.2-r0 or later
• —upgrade to 12.14.0 or later
• —upgrade to 13.10-0+deb11u1 or later
• —upgrade to 15.2-1 or later

Is CVE-2022-41862 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (7)

• from 0, < 13.11-r0
• from 0, < 13.10-r0
• from 0, < 14.7-r0
• from 0, < 15.2-r0
• >= 12.0.0, < 12.14.0, >= 13.0.0, < 13.10.0, >= 14.0.0, < 14.7.0, >= 15.0.0, < 15.2.0
• from 0, < 13.10-0+deb11u1
• from 0, < 15.2-1

CVSS scores

References (6)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-41862
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-41862
• WEBbugzilla.redhat.com/show_bug.cgi?id=2165722
• WEBnvd.nist.gov/vuln/detail/CVE-2022-41862
• WEB