Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
12 vulnerabilities found for PostgreSQL by The PostgreSQL Global Development Group
CVE-2018-1058 (GCVE-0-2018-1058)
Vulnerability from cvelistv5 – Published: 2018-03-02 15:00 – Updated: 2024-09-17 03:22
VLAI
Summary
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.
Severity
No CVSS data available.
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1547044 | x_refsource_CONFIRM |
| https://usn.ubuntu.com/3589-1/ | vendor-advisoryx_refsource_UBUNTU |
| http://www.securityfocus.com/bid/103221 | vdb-entryx_refsource_BID |
| https://www.postgresql.org/about/news/1834/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2018:2511 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:2566 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3816 | vendor-advisoryx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
9.3 - 10
|
Date Public
2018-03-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103221"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3 - 10"
}
]
}
],
"datePublic": "2018-03-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-14T10:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103221"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-03-01T00:00:00",
"ID": "CVE-2018-1058",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "9.3 - 10"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103221"
},
{
"name": "https://www.postgresql.org/about/news/1834/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1058",
"datePublished": "2018-03-02T15:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:22:50.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1053 (GCVE-0-2018-1053)
Vulnerability from cvelistv5 – Published: 2018-02-09 14:00 – Updated: 2024-09-17 04:20
VLAI
Summary
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.
Severity
No CVSS data available.
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/about/news/1829/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2018:2511 | vendor-advisoryx_refsource_REDHAT |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| https://access.redhat.com/errata/RHSA-2018:2566 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3816 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/102986 | vdb-entryx_refsource_BID |
| https://usn.ubuntu.com/3564-1/ | vendor-advisoryx_refsource_UBUNTU |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
9.3.x before 9.3.21
Affected: 9.4.x before 9.4.16 Affected: 9.5.x before 9.5.11 Affected: 9.6.x before 9.6.7 Affected: 10.x before 10.2 |
Date Public
2018-02-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3564-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3.x before 9.3.21"
},
{
"status": "affected",
"version": "9.4.x before 9.4.16"
},
{
"status": "affected",
"version": "9.5.x before 9.5.11"
},
{
"status": "affected",
"version": "9.6.x before 9.6.7"
},
{
"status": "affected",
"version": "10.x before 10.2"
}
]
}
],
"datePublic": "2018-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-14T10:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3564-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-02-08T00:00:00",
"ID": "CVE-2018-1053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "9.3.x before 9.3.21"
},
{
"version_value": "9.4.x before 9.4.16"
},
{
"version_value": "9.5.x before 9.5.11"
},
{
"version_value": "9.6.x before 9.6.7"
},
{
"version_value": "10.x before 10.2"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-377"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.postgresql.org/about/news/1829/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3564-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1053",
"datePublished": "2018-02-09T14:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:20:15.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1052 (GCVE-0-2018-1052)
Vulnerability from cvelistv5 – Published: 2018-02-09 14:00 – Updated: 2024-09-16 17:08
VLAI
Summary
Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.
Severity
No CVSS data available.
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/about/news/1829/ | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/102987 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
10.x before 10.2
|
Date Public
2018-02-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102987"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "10.x before 10.2"
}
]
}
],
"datePublic": "2018-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-14T10:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102987"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-02-08T00:00:00",
"ID": "CVE-2018-1052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "10.x before 10.2"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.postgresql.org/about/news/1829/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102987"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1052",
"datePublished": "2018-02-09T14:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:08:06.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7485 (GCVE-0-2017-7485)
Vulnerability from cvelistv5 – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Severity
No CVSS data available.
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98461 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
9.3 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "CWE-390",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7485",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "9.3 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-390"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7485",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7486 (GCVE-0-2017-7486)
Vulnerability from cvelistv5 – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.
Severity
No CVSS data available.
CWE
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1983 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98460 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
8.4 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "8.4 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "8.4 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7486",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7484 (GCVE-0-2017-7484)
Vulnerability from cvelistv5 – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Severity
No CVSS data available.
CWE
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1983 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98459 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
9.2 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.2 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "9.2 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7484",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1058 (GCVE-0-2018-1058)
Vulnerability from nvd – Published: 2018-03-02 15:00 – Updated: 2024-09-17 03:22
VLAI
Summary
A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.
Severity
No CVSS data available.
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1547044 | x_refsource_CONFIRM |
| https://usn.ubuntu.com/3589-1/ | vendor-advisoryx_refsource_UBUNTU |
| http://www.securityfocus.com/bid/103221 | vdb-entryx_refsource_BID |
| https://www.postgresql.org/about/news/1834/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2018:2511 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:2566 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3816 | vendor-advisoryx_refsource_REDHAT |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
9.3 - 10
|
Date Public
2018-03-01 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.804Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/103221"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3 - 10"
}
]
}
],
"datePublic": "2018-03-01T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-20",
"description": "CWE-20",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-14T10:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/103221"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-03-01T00:00:00",
"ID": "CVE-2018-1058",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "9.3 - 10"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044",
"refsource": "CONFIRM",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1547044"
},
{
"name": "USN-3589-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3589-1/"
},
{
"name": "103221",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/103221"
},
{
"name": "https://www.postgresql.org/about/news/1834/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1834/"
},
{
"name": "RHSA-2018:2511",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "RHSA-2018:2566",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1058",
"datePublished": "2018-03-02T15:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T03:22:50.533Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1053 (GCVE-0-2018-1053)
Vulnerability from nvd – Published: 2018-02-09 14:00 – Updated: 2024-09-17 04:20
VLAI
Summary
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.
Severity
No CVSS data available.
CWE
Assigner
References
7 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/about/news/1829/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2018:2511 | vendor-advisoryx_refsource_REDHAT |
| https://lists.debian.org/debian-lts-announce/2018… | mailing-listx_refsource_MLIST |
| https://access.redhat.com/errata/RHSA-2018:2566 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2018:3816 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/102986 | vdb-entryx_refsource_BID |
| https://usn.ubuntu.com/3564-1/ | vendor-advisoryx_refsource_UBUNTU |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
9.3.x before 9.3.21
Affected: 9.4.x before 9.4.16 Affected: 9.5.x before 9.5.11 Affected: 9.6.x before 9.6.7 Affected: 10.x before 10.2 |
Date Public
2018-02-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.896Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU",
"x_transferred"
],
"url": "https://usn.ubuntu.com/3564-1/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3.x before 9.3.21"
},
{
"status": "affected",
"version": "9.4.x before 9.4.16"
},
{
"status": "affected",
"version": "9.5.x before 9.5.11"
},
{
"status": "affected",
"version": "9.6.x before 9.6.7"
},
{
"status": "affected",
"version": "10.x before 10.2"
}
]
}
],
"datePublic": "2018-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-377",
"description": "CWE-377",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-12-14T10:57:02.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"tags": [
"vendor-advisory",
"x_refsource_UBUNTU"
],
"url": "https://usn.ubuntu.com/3564-1/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-02-08T00:00:00",
"ID": "CVE-2018-1053",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "9.3.x before 9.3.21"
},
{
"version_value": "9.4.x before 9.4.16"
},
{
"version_value": "9.5.x before 9.5.11"
},
{
"version_value": "9.6.x before 9.6.7"
},
{
"version_value": "10.x before 10.2"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-377"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.postgresql.org/about/news/1829/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "RHSA-2018:2511",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2511"
},
{
"name": "[debian-lts-announce] 20180207 [SECURITY] [DLA-1271-1] postgresql-9.1 security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html"
},
{
"name": "RHSA-2018:2566",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2566"
},
{
"name": "RHSA-2018:3816",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:3816"
},
{
"name": "102986",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102986"
},
{
"name": "USN-3564-1",
"refsource": "UBUNTU",
"url": "https://usn.ubuntu.com/3564-1/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1053",
"datePublished": "2018-02-09T14:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:20:15.991Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1052 (GCVE-0-2018-1052)
Vulnerability from nvd – Published: 2018-02-09 14:00 – Updated: 2024-09-16 17:08
VLAI
Summary
Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.
Severity
No CVSS data available.
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://www.postgresql.org/about/news/1829/ | x_refsource_CONFIRM |
| http://www.securityfocus.com/bid/102987 | vdb-entryx_refsource_BID |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | postgresql |
Affected:
10.x before 10.2
|
Date Public
2018-02-08 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T03:44:11.952Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/102987"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "postgresql",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "10.x before 10.2"
}
]
}
],
"datePublic": "2018-02-08T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-02-14T10:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/102987"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"DATE_PUBLIC": "2018-02-08T00:00:00",
"ID": "CVE-2018-1052",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "postgresql",
"version": {
"version_data": [
{
"version_value": "10.x before 10.2"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.postgresql.org/about/news/1829/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1829/"
},
{
"name": "102987",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/102987"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2018-1052",
"datePublished": "2018-02-09T14:00:00.000Z",
"dateReserved": "2017-12-04T00:00:00.000Z",
"dateUpdated": "2024-09-16T17:08:06.088Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7486 (GCVE-0-2017-7486)
Vulnerability from nvd – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.
Severity
No CVSS data available.
CWE
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1983 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98460 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
8.4 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.547Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "8.4 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "8.4 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-522"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98460",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98460"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7486",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.547Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7485 (GCVE-0-2017-7485)
Vulnerability from nvd – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Severity
No CVSS data available.
CWE
Assigner
References
9 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98461 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
9.3 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.584Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.3 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-390",
"description": "CWE-390",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7485",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "9.3 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-390"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98461",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98461"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7485",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.584Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-7484 (GCVE-0-2017-7484)
Vulnerability from nvd – Published: 2017-05-12 19:00 – Updated: 2024-08-05 16:04
VLAI
Summary
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Severity
No CVSS data available.
CWE
Assigner
References
10 references
| URL | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb-entryx_refsource_SECTRACK |
| http://www.debian.org/security/2017/dsa-3851 | vendor-advisoryx_refsource_DEBIAN |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2017:1983 | vendor-advisoryx_refsource_REDHAT |
| https://www.postgresql.org/about/news/1746/ | x_refsource_CONFIRM |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor-advisoryx_refsource_REDHAT |
| http://www.securityfocus.com/bid/98459 | vdb-entryx_refsource_BID |
| https://security.gentoo.org/glsa/201710-06 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| The PostgreSQL Global Development Group | PostgreSQL |
Affected:
9.2 - 9.6
|
Date Public
2017-05-12 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:04:11.415Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "The PostgreSQL Global Development Group",
"versions": [
{
"status": "affected",
"version": "9.2 - 9.6"
}
]
}
],
"datePublic": "2017-05-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-01-04T19:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1038476",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/201710-06"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2017-7484",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "9.2 - 9.6"
}
]
}
}
]
},
"vendor_name": "The PostgreSQL Global Development Group"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-285"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1038476",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1038476"
},
{
"name": "DSA-3851",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2017/dsa-3851"
},
{
"name": "RHSA-2017:2425",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:2425"
},
{
"name": "RHSA-2017:1678",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1678"
},
{
"name": "RHSA-2017:1677",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1677"
},
{
"name": "RHSA-2017:1983",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1983"
},
{
"name": "https://www.postgresql.org/about/news/1746/",
"refsource": "CONFIRM",
"url": "https://www.postgresql.org/about/news/1746/"
},
{
"name": "RHSA-2017:1838",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2017:1838"
},
{
"name": "98459",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/98459"
},
{
"name": "GLSA-201710-06",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/201710-06"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2017-7484",
"datePublished": "2017-05-12T19:00:00.000Z",
"dateReserved": "2017-04-05T00:00:00.000Z",
"dateUpdated": "2024-08-05T16:04:11.415Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}