VYPR
Get started
← All advisories
High severity7.5NVD Advisory· Published Dec 8, 2017· Updated May 13, 2026

CVE-2017-11480

CVE-2017-11480

Description

Packetbeat versions prior to 5.6.4 are affected by a denial of service flaw in the PostgreSQL protocol handler. If Packetbeat is listening for PostgreSQL traffic and a user is able to send arbitrary network traffic to the monitored port, the attacker could prevent Packetbeat from properly logging other PostgreSQL traffic.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/elastic/beatsGo
< 5.6.45.6.4
github.com/elastic/beatsGo
>= 6.0.0-alpha1, < 6.0.06.0.0

Affected products

1
  • Elastic/Packetbeatv5
    Range: before 5.6.4

Patches

1
aeca65779d57

Fix missing length check in PgSQL (#5457)

https://github.com/elastic/beatsTudor GolubencoOct 29, 2017via ghsa
commit
2 files changed · +4 0
  • CHANGELOG.asciidoc+1 0 modified
    @@ -64,6 +64,7 @@ https://github.com/elastic/beats/compare/v6.0.0-beta2...master[Check the HEAD di
 *Packetbeat*
 
 - Fix http status phrase parsing not allow spaces. {pull}5312[5312]
+- Fix missing length check in the PostgreSQL module. {pull}5457[5457]
 
 *Winlogbeat*
  • packetbeat/protos/pgsql/parse.go+3 0 modified
    @@ -377,6 +377,9 @@ func pgsqlFieldsParser(s *pgsqlStream, buf []byte) error {
 		off += 4
 
 		// read format (int16)
+		if len(buf) < off+2 {
+			return errFieldBufferShort
+		}
 		format := common.BytesNtohs(buf[off : off+2])
 		off += 2
 		fieldsFormat = append(fieldsFormat, byte(format))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.