CVE-2012-1151 : Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Pe

Multiple format string vulnerabilities in dbdimp.c in DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module before 2.19.0 for Perl allow remote PostgreSQL database servers to cause a denial of service (process crash) via format string specifiers in (1) a crafted database warning to the pg_warn function or (2) a crafted DBD statement to the dbd_st_prepare function.

Published 2012-09-09 21:55:05

Updated 2017-08-29 01:31:13

Source Red Hat, Inc.

View at NVD, CVE.org

Vulnerability category: OverflowDenial of service

Threat overview for CVE-2012-1151

Top countries where our scanners detected CVE-2012-1151

Top open port discovered on systems with this issue 80

IPs affected by CVE-2012-1151 361

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2012-1151!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2012-1151

Probability of exploitation activity in the next 30 days: 2.88%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2012-1151

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:N/A:P	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: None Availability Impact: Partial

CWE ids for CVE-2012-1151

CWE-134 Use of Externally-Controlled Format String

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2012-1151

https://bugzilla.redhat.com/show_bug.cgi?id=801733

801733 – (CVE-2012-1151) CVE-2012-1151 perl-DBD-Pg: Format string flaws by turning db notices into Perl warnings and by preparing DBD statement
http://www.openwall.com/lists/oss-security/2012/03/10/4

oss-security - Re: CVE Request -- libdbd-pg-perl / perl-DBD-Pg && libyaml-libyaml-perl / perl-YAML-LibYAML: Multiple format string flaws

CVEs referencing this url
https://exchange.xforce.ibmcloud.com/vulnerabilities/73855

DBD::Pg module for Perl dbd_st_prepare() format string CVE-2012-1151 Vulnerability Report
http://www.openwall.com/lists/oss-security/2012/03/09/6

oss-security - CVE Request -- libdbd-pg-perl / perl-DBD-Pg && libyaml-libyaml-perl / perl-YAML-LibYAML: Multiple format string flaws

CVEs referencing this url
http://security.gentoo.org/glsa/glsa-201204-08.xml

Perl DBD-Pg Module: Arbitrary code execution (GLSA 201204-08) — Gentoo security
http://www.mandriva.com/security/advisories?name=MDVSA-2012:112

mandriva.com
http://www.debian.org/security/2012/dsa-2431

Debian -- Security Information -- DSA-2431-1 libdbd-pg-perl
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=661536

#661536 - libdbd-pg-perl: CVE-2012-1151: Format string vulnerabilities in server error parsing - Debian Bug report logs
https://rt.cpan.org/Public/Bug/Display.html?id=75642

Bug #75642 for DBD-Pg: Format string security issue with a malicious server
http://cpansearch.perl.org/src/TURNSTEP/DBD-Pg-2.19.1/Changes
https://exchange.xforce.ibmcloud.com/vulnerabilities/73854

DBD::Pg module for Perl pg_warn() format string CVE-2012-1151 Vulnerability Report
http://rhn.redhat.com/errata/RHSA-2012-1116.html

RHSA-2012:1116 - Security Advisory - Red Hat Customer Portal

Products affected by CVE-2012-1151