CVE-2024-10977: 
PostgreSQL vulnerability analysis and mitigation

CVE-2024-10977 is a security vulnerability in PostgreSQL that affects the client's handling of server error messages. The vulnerability was discovered and reported by Jacob Champion, with the fix being published on November 14, 2024. It affects PostgreSQL versions before 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 (PostgreSQL Advisory).

The vulnerability allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. This issue has been assigned a CVSS 3.1 base score of 3.7 (Low) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N according to NVD assessment, while PostgreSQL's own assessment rates it at 3.1 (Low) with vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N (NVD, PostgreSQL Advisory).

The primary impact of this vulnerability is that a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql might mistake for valid query results. However, this is noted to be less concerning for clients where the user interface clearly indicates the boundary between error messages and other text (PostgreSQL Advisory).

The vulnerability has been fixed in PostgreSQL versions 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21. Users are advised to upgrade to these or later versions to mitigate the vulnerability (PostgreSQL Advisory).