EnterpriseDB Advanced Server 8.2 does not properly handle certain debugging function calls that occur before a call to pldbg_create_listener, which allows remote authenticated users to cause a denial of service (daemon crash) and possibly execute arbitrary code via a SELECT statement that invokes a pldbg_ function, as demonstrated by (1) pldbg_get_stack and (2) pldbg_abort_target, which triggers use of an uninitialized pointer.

Threat-Mapped Scoring

Score: 1.9

Priority: P3 - Important (Medium)

• S9 – Sabotage of System/App
• S10 – Denial of Service (+0.1 bonus)

EPSS

Score: 0.15179
Percentile: 0.94275

CVSS Scoring

Mapped CWE(s)

• CWE-824 : Access of Uninitialized Pointer

Affected Products

• cpe:2.3:a:enterprisedb:postgres_advanced_server:8.2:*:*:*:*:*:*:*

← Back to Home