vulnerability
FreeBSD: VID-7a8b6170-a889-11ed-bbae-6cc21735f730 (CVE-2022-41862): PostgreSQL server -- Client memory disclosure when connecting, with Kerberos, to modified server.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:P/I:N/A:N) | Feb 9, 2023 | Feb 10, 2023 | Dec 10, 2025 |
Severity
4
CVSS
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
Published
Feb 9, 2023
Added
Feb 10, 2023
Modified
Dec 10, 2025
Description
PostgreSQL Project reports: A modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. When a libpq client application has a Kerberos credential cache and doesn't explicitly disable option gssencmode, a server can cause libpq to over-read and report an error message containing uninitialized bytes from and following its receive buffer. If libpq's caller somehow makes that message accessible to the attacker, this achieves a disclosure of the over-read bytes. We have not confirmed or ruled out viability of attacks that arrange for a crash or for presence of notable, confidential information in disclosed bytes.
Solutions
freebsd-upgrade-package-postgresql15-clientfreebsd-upgrade-package-postgresql14-clientfreebsd-upgrade-package-postgresql13-clientfreebsd-upgrade-package-postgresql12-client
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.