CVE-2024-10977

Description

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

How to fix CVE-2024-10977

To remediate CVE-2024-10977, upgrade the affected package to a fixed version below.

• —upgrade to 14.14-r0 or later
• —upgrade to 15.9-r0 or later
• —upgrade to 16.5-r0 or later
• —upgrade to 17.1-r0 or later
• —upgrade to 12.21.0 or later
• —upgrade to 13.17-0+deb11u1 or later
• —upgrade to 15.9-0+deb12u1 or later
• —upgrade to 17.1-1 or later

Is CVE-2024-10977 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (8)

• from 0, < 14.14-r0
• from 0, < 15.9-r0
• from 0, < 16.5-r0
• from 0, < 17.1-r0
• from 0, < 12.21.0, >= 13.0.0, < 13.17.0, >= 14.0.0, < 14.14.0, >= 15.0.0, < 15.9.0, >= 16.0.0, < 16.5.0, >= 17.0.0, < 17.1.0
• from 0, < 13.17-0+deb11u1
• from 0, < 15.9-0+deb12u1
• from 0, < 17.1-1

CVSS scores

References (5)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2024-10977
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-10977
• WEBlists.debian.org/debian-lts-announce/2024/11/msg00011.html
• WEBnvd.nist.gov/vuln/detail/CVE-2024-10977