CVE-2024-10977

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

Published: Nov 14, 2024
Updated: May 4, 2025
CVE: CVE-2024-10977
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.7
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CWEs:

CWE-345

Affected Software
References

Software	From	Fixed in
postgresql / postgresql	16.0	16.5
postgresql / postgresql	15.0	15.9
postgresql / postgresql	14.0	14.14
postgresql / postgresql	13.0	13.17
postgresql / postgresql	12.0	12.21
postgresql / postgresql	17.0-beta2	17.0-beta2.x
postgresql / postgresql	17.0-beta3	17.0-beta3.x
postgresql / postgresql	17.0-rc1	17.0-rc1.x
postgresql / postgresql	17.0	17.0.x
postgresql / postgresql	17.0-beta1	17.0-beta1.x

https://www.postgresql.org/support/security/CVE-2024-10977/

Vulnerability Database

289,599

CVE-2024-10977