8.1
CVE-2025-1094
- EPSS 77.82%
- Published 13.02.2025 13:15:09
- Last modified 21.02.2025 18:15:20
- Source f86ef6dc-4d3a-42ad-8f28-e6d554
- Teams watchlist Login
- Open Login
Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly, improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Vendorn/a
≫
Product
PostgreSQL
Default Statusunaffected
Version <
17.3
Version
17
Status
affected
Version <
16.7
Version
16
Status
affected
Version <
15.11
Version
15
Status
affected
Version <
14.16
Version
14
Status
affected
Version <
13.19
Version
0
Status
affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 77.82% | 0.99 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| f86ef6dc-4d3a-42ad-8f28-e6d5547a5007 | 8.1 | 2.2 | 5.9 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-149 Improper Neutralization of Quoting Syntax
Quotes injected into a product can be used to compromise a system. As data are parsed, an injected/absent/duplicate/malformed use of quotes may cause the process to take unexpected actions.