PgPool Global Development Group Pgpool-II up to 4.5.3w Database information disclosure

Summaryinfo

A vulnerability has been found in PgPool Global Development Group Pgpool-II up to 4.1.21/4.2.18/4.3.11/4.4.8/4.5.3w and classified as problematic. Affected by this issue is some unknown functionality of the component Database Handler. Performing a manipulation results in information disclosure. This vulnerability is known as CVE-2024-45624. Remote exploitation of the attack is possible. No exploit is available.

Detailsinfo

A vulnerability classified as problematic has been found in PgPool Global Development Group Pgpool-II up to 4.1.21/4.2.18/4.3.11/4.4.8/4.5.3w. This affects an unknown part of the component Database Handler. The manipulation with an unknown input leads to a information disclosure vulnerability. CWE is classifying the issue as CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. This is going to have an impact on confidentiality. The summary by CVE is:

Exposure of sensitive information due to incompatible policies issue exists in Pgpool-II. If a database user accesses a query cache, table data unauthorized for the user may be retrieved.

The advisory is shared at pgpool.net. This vulnerability is uniquely identified as CVE-2024-45624 since 09/03/2024. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1592 for this issue.

The vulnerability scanner Nessus provides a plugin with the ID 212755 (Debian dla-3993 : libpgpool-dev - security update), which helps to determine the existence of the flaw in a target environment.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at Tenable (212755). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Productinfo

Vendor

• PgPool Global Development Group

Name

• Pgpool-II

Version

• 4.1.0
• 4.1.1
• 4.1.2
• 4.1.3
• 4.1.4
• 4.1.5
• 4.1.6
• 4.1.7
• 4.1.8
• 4.1.9
• 4.1.10
• 4.1.11
• 4.1.12
• 4.1.13
• 4.1.14
• 4.1.15
• 4.1.16
• 4.1.17
• 4.1.18
• 4.1.19
• 4.1.20
• 4.1.21
• 4.2.0
• 4.2.1
• 4.2.2
• 4.2.3
• 4.2.4
• 4.2.5
• 4.2.6
• 4.2.7
• 4.2.8
• 4.2.9
• 4.2.10
• 4.2.11
• 4.2.12
• 4.2.13
• 4.2.14
• 4.2.15
• 4.2.16
• 4.2.17
• 4.2.18
• 4.3.0
• 4.3.1
• 4.3.2
• 4.3.3
• 4.3.4
• 4.3.5
• 4.3.6
• 4.3.7
• 4.3.8
• 4.3.9
• 4.3.10
• 4.3.11
• 4.4.0
• 4.4.1
• 4.4.2
• 4.4.3
• 4.4.4
• 4.4.5
• 4.4.6
• 4.4.7
• 4.4.8
• 4.5.3a
• 4.5.3b
• 4.5.3c
• 4.5.3d
• 4.5.3e
• 4.5.3f
• 4.5.3g
• 4.5.3h
• 4.5.3i
• 4.5.3j
• 4.5.3k
• 4.5.3l
• 4.5.3m
• 4.5.3n
• 4.5.3o
• 4.5.3p
• 4.5.3q
• 4.5.3r
• 4.5.3s
• 4.5.3t
• 4.5.3u
• 4.5.3v
• 4.5.3w

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion