ID CVE-2017-7547
Summary PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
References
Vulnerable Configurations
  • PostgreSQL 9.2
    cpe:2.3:a:postgresql:postgresql:9.2
  • PostgreSQL 9.2.1
    cpe:2.3:a:postgresql:postgresql:9.2.1
  • PostgreSQL 9.2.2
    cpe:2.3:a:postgresql:postgresql:9.2.2
  • PostgreSQL PostgreSQL 9.2.3
    cpe:2.3:a:postgresql:postgresql:9.2.3
  • PostgreSQL PostgreSQL 9.2.4
    cpe:2.3:a:postgresql:postgresql:9.2.4
  • PostgreSQL PostgreSQL 9.2.5
    cpe:2.3:a:postgresql:postgresql:9.2.5
  • PostgreSQL PostgreSQL 9.2.6
    cpe:2.3:a:postgresql:postgresql:9.2.6
  • PostgreSQL PostgreSQL 9.2.7
    cpe:2.3:a:postgresql:postgresql:9.2.7
  • cpe:2.3:a:postgresql:postgresql:9.2.8
    cpe:2.3:a:postgresql:postgresql:9.2.8
  • cpe:2.3:a:postgresql:postgresql:9.2.9
    cpe:2.3:a:postgresql:postgresql:9.2.9
  • cpe:2.3:a:postgresql:postgresql:9.2.10
    cpe:2.3:a:postgresql:postgresql:9.2.10
  • cpe:2.3:a:postgresql:postgresql:9.2.11
    cpe:2.3:a:postgresql:postgresql:9.2.11
  • cpe:2.3:a:postgresql:postgresql:9.2.12
    cpe:2.3:a:postgresql:postgresql:9.2.12
  • cpe:2.3:a:postgresql:postgresql:9.2.13
    cpe:2.3:a:postgresql:postgresql:9.2.13
  • PostgreSQL PostgreSQL 9.2.14
    cpe:2.3:a:postgresql:postgresql:9.2.14
  • PostgreSQL 9.2.15
    cpe:2.3:a:postgresql:postgresql:9.2.15
  • PostgreSQL 9.2.16
    cpe:2.3:a:postgresql:postgresql:9.2.16
  • PostgreSQL 9.2.17
    cpe:2.3:a:postgresql:postgresql:9.2.17
  • PostgreSQL 9.2.18
    cpe:2.3:a:postgresql:postgresql:9.2.18
  • PostgreSQL 9.2.19
    cpe:2.3:a:postgresql:postgresql:9.2.19
  • PostgreSQL 9.2.20
    cpe:2.3:a:postgresql:postgresql:9.2.20
  • PostgreSQL 9.2.21
    cpe:2.3:a:postgresql:postgresql:9.2.21
  • PostgreSQL PostgreSQL 9.3
    cpe:2.3:a:postgresql:postgresql:9.3
  • PostgreSQL PostgreSQL 9.3.1
    cpe:2.3:a:postgresql:postgresql:9.3.1
  • PostgreSQL PostgreSQL 9.3.2
    cpe:2.3:a:postgresql:postgresql:9.3.2
  • PostgreSQL PostgreSQL 9.3.3
    cpe:2.3:a:postgresql:postgresql:9.3.3
  • PostgreSQL 9.3.4
    cpe:2.3:a:postgresql:postgresql:9.3.4
  • PostgreSQL 9.3.5
    cpe:2.3:a:postgresql:postgresql:9.3.5
  • PostgreSQL 9.3.6
    cpe:2.3:a:postgresql:postgresql:9.3.6
  • PostgreSQL 9.3.7
    cpe:2.3:a:postgresql:postgresql:9.3.7
  • PostgreSQL 9.3.8
    cpe:2.3:a:postgresql:postgresql:9.3.8
  • PostgreSQL 9.3.9
    cpe:2.3:a:postgresql:postgresql:9.3.9
  • PostgreSQL 9.3.10
    cpe:2.3:a:postgresql:postgresql:9.3.10
  • PostgreSQL 9.3.11
    cpe:2.3:a:postgresql:postgresql:9.3.11
  • PostgreSQL 9.3.12
    cpe:2.3:a:postgresql:postgresql:9.3.12
  • PostgreSQL 9.3.13
    cpe:2.3:a:postgresql:postgresql:9.3.13
  • PostgreSQL 9.3.14
    cpe:2.3:a:postgresql:postgresql:9.3.14
  • PostgreSQL 9.3.15
    cpe:2.3:a:postgresql:postgresql:9.3.15
  • PostgreSQL 9.3.16
    cpe:2.3:a:postgresql:postgresql:9.3.16
  • PostgreSQL 9.3.17
    cpe:2.3:a:postgresql:postgresql:9.3.17
  • PostgreSQL PostgreSQL 9.4
    cpe:2.3:a:postgresql:postgresql:9.4
  • PostgreSQL 9.4.1
    cpe:2.3:a:postgresql:postgresql:9.4.1
  • PostgreSQL 9.4.2
    cpe:2.3:a:postgresql:postgresql:9.4.2
  • PostgreSQL 9.4.3
    cpe:2.3:a:postgresql:postgresql:9.4.3
  • PostgreSQL 9.4.4
    cpe:2.3:a:postgresql:postgresql:9.4.4
  • PostgreSQL PostgreSQL 9.4.5
    cpe:2.3:a:postgresql:postgresql:9.4.5
  • PostgreSQL 9.4.6
    cpe:2.3:a:postgresql:postgresql:9.4.6
  • PostgreSQL 9.4.7
    cpe:2.3:a:postgresql:postgresql:9.4.7
  • PostgreSQL 9.4.8
    cpe:2.3:a:postgresql:postgresql:9.4.8
  • PostgreSQL 9.4.9
    cpe:2.3:a:postgresql:postgresql:9.4.9
  • PostgreSQL 9.4.10
    cpe:2.3:a:postgresql:postgresql:9.4.10
  • PostgreSQL 9.4.11
    cpe:2.3:a:postgresql:postgresql:9.4.11
  • PostgreSQL 9.4.12
    cpe:2.3:a:postgresql:postgresql:9.4.12
  • PostgreSQL PostgreSQL 9.5
    cpe:2.3:a:postgresql:postgresql:9.5
  • cpe:2.3:a:postgresql:postgresql:9.5.1.
    cpe:2.3:a:postgresql:postgresql:9.5.1.
  • PostgreSQL 9.5.2
    cpe:2.3:a:postgresql:postgresql:9.5.2
  • PostgreSQL 9.5.3
    cpe:2.3:a:postgresql:postgresql:9.5.3
  • PostgreSQL 9.5.4
    cpe:2.3:a:postgresql:postgresql:9.5.4
  • PostgreSQL 9.5.5
    cpe:2.3:a:postgresql:postgresql:9.5.5
  • PostgreSQL 9.5.6
    cpe:2.3:a:postgresql:postgresql:9.5.6
  • PostgreSQL 9.5.7
    cpe:2.3:a:postgresql:postgresql:9.5.7
  • PostgreSQL 9.6
    cpe:2.3:a:postgresql:postgresql:9.6
  • PostgreSQL 9.6.1
    cpe:2.3:a:postgresql:postgresql:9.6.1
  • PostgreSQL 9.6.2
    cpe:2.3:a:postgresql:postgresql:9.6.2
  • PostgreSQL 9.6.3
    cpe:2.3:a:postgresql:postgresql:9.6.3
CVSS
Base: 4.0
Impact:
Exploitability:
CWE CWE-285
CAPEC
  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Manipulating Opaque Client-based Data Tokens
    In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Poison Web Service Registry
    SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
  • Forceful Browsing
    An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201710-06.NASL
    description The remote host is affected by the vulnerability described in GLSA-201710-06 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. Impact : A remote attacker could escalate privileges, cause a Denial of Service condition, obtain passwords, cause a loss in information, or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103724
    published 2017-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103724
    title GLSA-201710-06 : PostgreSQL: Multiple vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-2728.NASL
    description From Red Hat Security Advisory 2017:2728 : An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-07-25
    plugin id 103238
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103238
    title Oracle Linux 7 : postgresql (ELSA-2017-2728)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-2728.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 103230
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103230
    title CentOS 7 : postgresql (CESA-2017:2728)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1232.NASL
    description According to the versions of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103734
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103734
    title EulerOS 2.0 SP2 : postgresql (EulerOS-SA-2017-1232)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-884.NASL
    description pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 102872
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102872
    title Amazon Linux AMI : postgresql93 / postgresql92 (ALAS-2017-884)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20170914_POSTGRESQL_ON_SL7_X.NASL
    description The following packages have been upgraded to a later upstream version: postgresql (9.2.23). Security Fix(es) : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547)
    last seen 2019-02-21
    modified 2018-12-27
    plugin id 103244
    published 2017-09-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103244
    title Scientific Linux Security Update : postgresql on SL7.x x86_64
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-908.NASL
    description The pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 103755
    published 2017-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103755
    title Amazon Linux AMI : postgresql96 (ALAS-2017-908)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3390-1.NASL
    description Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that PostgreSQL allowed the use of empty passwords in some authentication methods, contrary to expected behaviour. A remote attacker could use an empty password to authenticate to servers that were believed to have password login disabled. (CVE-2017-7546) Jeff Janes discovered that PostgreSQL incorrectly handled the pg_user_mappings catalog view. A remote attacker without server privileges could possibly use this issue to obtain certain passwords. (CVE-2017-7547) Chapman Flack discovered that PostgreSQL incorrectly handled lo_put() permissions. A remote attacker could possibly use this issue to change the data in a large object. (CVE-2017-7548). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 102522
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102522
    title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities (USN-3390-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-2728.NASL
    description An update for postgresql is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. PostgreSQL is an advanced object-relational database management system (DBMS). The following packages have been upgraded to a later upstream version: postgresql (9.2.23). (BZ#1484639, BZ#1484647) Security Fix(es) : * It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) * An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Red Hat would like to thank the PostgreSQL project for reporting these issues. Upstream acknowledges Ben de Graaff, Jelte Fennema, and Jeroen van der Ham as the original reporters of CVE-2017-7546; and Jeff Janes as the original reporter of CVE-2017-7547.
    last seen 2019-02-21
    modified 2018-12-20
    plugin id 103209
    published 2017-09-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103209
    title RHEL 7 : postgresql (RHSA-2017:2728)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1231.NASL
    description According to the versions of the postgresql packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) - An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 103733
    published 2017-10-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103733
    title EulerOS 2.0 SP1 : postgresql (EulerOS-SA-2017-1231)
  • NASL family Databases
    NASL id POSTGRESQL_20170810.NASL
    description The version of PostgreSQL installed on the remote host is 9.2.x prior to 9.2.22, 9.3.x prior to 9.3.18, 9.4.x prior to 9.4.13, 9.5.x prior to 9.5.8, or 9.6.x prior to 9.6.4. It is, therefore, affected by multiple vulnerabilities : - An authentication bypass flaw exists in that an empty password is accepted in some authentication methods. (CVE-2017-7546) - An information disclosure vulnerability exists in the 'pg_user_mappings' catalog view that can disclose passwords to users lacking server privileges. (CVE-2017-7547) Note: The 'pg_user_mappings' update will only fix the behavior in newly created clusters utilizing initdb. To fix this issue on existing systems you will need to follow the steps in the release notes. - A flaw exists in the lo_put() function due to improper checking of permissions that leads to ignoring of ACLs. (CVE-2017-7548)
    last seen 2019-02-21
    modified 2018-12-14
    plugin id 102527
    published 2017-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102527
    title PostgreSQL 9.2.x < 9.2.22 / 9.3.x < 9.3.18 / 9.4.x < 9.4.13 / 9.5.x < 9.5.8 / 9.6.x < 9.6.4 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-D9CAC37BD8.NASL
    description rebase: update to 9.6.4, security fix for CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 Per release notes: https://www.postgresql.org/docs/9.6/static/release-9-6-4.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102490
    published 2017-08-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102490
    title Fedora 26 : postgresql (2017-d9cac37bd8)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1021.NASL
    description This update for postgresql96 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.6/static/release-9-6-4.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 103157
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103157
    title openSUSE Security Update : postgresql96 (openSUSE-2017-1021)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-985.NASL
    description Postgresql93 was updated to 9.3.18 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for the release is here : https://www.postgresql.org/docs/9.3/static/release-9-3-18.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102847
    published 2017-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102847
    title openSUSE Security Update : postgresql93 (openSUSE-2017-985)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3936.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : - CVE-2017-7546 In some authentication methods empty passwords were accepted. - CVE-2017-7547 User mappings could leak data to unprivileged users. - CVE-2017-7548 The lo_put() function ignored ACLs. For more in-depth descriptions of the security vulnerabilities, please see https://www.postgresql.org/about/news/1772/
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102443
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102443
    title Debian DSA-3936-1 : postgresql-9.6 - security update
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1051.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : CVE-2017-7486 Andrew Wheelwright discovered that user mappings were insufficiently restricted. CVE-2017-7546 In some authentication methods empty passwords were accepted. CVE-2017-7547 User mappings could leak data to unprivileged users. For Debian 7 'Wheezy', these problems have been fixed in version 9.1.24lts2-0+deb7u1. We recommend that you upgrade your postgresql-9.1 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-09
    plugin id 102368
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102368
    title Debian DLA-1051-1 : postgresql-9.1 security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-1020.NASL
    description This update for postgresql94 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 103156
    published 2017-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103156
    title openSUSE Security Update : postgresql94 (openSUSE-2017-1020)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-9148FE36B9.NASL
    description rebase: update to 9.5.8, security fix for CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 Per release notes: http://www.postgresql.org/docs/9.5/static/release-9-5-8.html Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102828
    published 2017-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102828
    title Fedora 25 : postgresql (2017-9148fe36b9)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2236-1.NASL
    description Postgresql93 was updated to 9.3.18 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for the release is here: https://www.postgresql.org/docs/9.3/static/release-9 -3-18.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102695
    published 2017-08-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102695
    title SUSE SLES12 Security Update : postgresql93 (SUSE-SU-2017:2236-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3935.NASL
    description Several vulnerabilities have been found in the PostgreSQL database system : - CVE-2017-7546 In some authentication methods empty passwords were accepted. - CVE-2017-7547 User mappings could leak data to unprivileged users. - CVE-2017-7548 The lo_put() function ignored ACLs. For more in-depth descriptions of the security vulnerabilities, please see https://www.postgresql.org/about/news/1772/
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102442
    published 2017-08-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102442
    title Debian DSA-3935-1 : postgresql-9.4 - security update
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_982872F17DD311E797366CC21735F730.NASL
    description The PostgreSQL project reports : - CVE-2017-7546: Empty password accepted in some authentication methods - CVE-2017-7547: The 'pg_user_mappings' catalog view discloses passwords to users lacking server privileges - CVE-2017-7548: lo_put() function ignores ACLs
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 102408
    published 2017-08-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102408
    title FreeBSD : PostgreSQL vulnerabilities (982872f1-7dd3-11e7-9736-6cc21735f730)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2356-1.NASL
    description This update for postgresql96 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.6/static/release-9-6-4 .html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102974
    published 2017-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102974
    title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2017:2356-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-885.NASL
    description pg_user_mappings view discloses passwords to users lacking server privileges : An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. (CVE-2017-7547) Empty password accepted in some authentication methods : It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. (CVE-2017-7546) lo_put() function ignores ACLs : An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service. (CVE-2017-7548)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 102873
    published 2017-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102873
    title Amazon Linux AMI : postgresql94 / postgresql95 (ALAS-2017-885)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2355-1.NASL
    description This update for postgresql94 fixes the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-30
    plugin id 102973
    published 2017-09-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102973
    title SUSE SLED12 / SLES12 Security Update : postgresql94 (SUSE-SU-2017:2355-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-2258-1.NASL
    description Postgresql94 was updated to 9.4.13 to fix the following issues : - CVE-2017-7547: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. (bsc#1051685) - CVE-2017-7546: Disallow empty passwords in all password-based authentication methods. (bsc#1051684) - CVE-2017-7548: lo_put() function ignores ACLs. (bsc#1053259) The changelog for this release is here: https://www.postgresql.org/docs/9.4/static/release-9-4-1 3.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 102800
    published 2017-08-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102800
    title SUSE SLES11 Security Update : postgresql94 (SUSE-SU-2017:2258-1)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-204.NASL
    description This update for postgresql95 fixes the following issues : Upate to PostgreSQL 9.5.11 : Security issues fixed : - https://www.postgresql.org/docs/9.5/static/release-9-5-11.html - CVE-2018-1053, boo#1077983: Ensure that all temporary files made by pg_upgrade are non-world-readable. - boo#1079757: Rename pg_rewind's copy_file_range function to avoid conflict with new Linux system call of that name. In version 9.5.10 : - https://www.postgresql.org/docs/9.5/static/release-9-5-10.html - CVE-2017-15098, boo#1067844: Memory disclosure in JSON functions. - CVE-2017-15099, boo#1067841: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges. In version 9.5.9 : - https://www.postgresql.org/docs/9.5/static/release-9-5-9.html - Show foreign tables in information_schema.table_privileges view. - Clean up handling of a fatal exit (e.g., due to receipt of SIGTERM) that occurs while trying to execute a ROLLBACK of a failed transaction. - Remove assertion that could trigger during a fatal exit. - Correctly identify columns that are of a range type or domain type over a composite type or domain type being searched for. - Fix crash in pg_restore when using parallel mode and using a list file to select a subset of items to restore. - Change ecpg's parser to allow RETURNING clauses without attached C variables. In version 9.5.8 - https://www.postgresql.org/docs/9.5/static/release-9-5-8.html - CVE-2017-7547, boo#1051685: Further restrict visibility of pg_user_mappings.umoptions, to protect passwords stored as user mapping options. - CVE-2017-7546, boo#1051684: Disallow empty passwords in all password-based authentication methods. - CVE-2017-7548, boo#1053259: lo_put() function ignores ACLs.
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 106965
    published 2018-02-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106965
    title openSUSE Security Update : postgresql95 (openSUSE-2018-204)
redhat via4
advisories
  • bugzilla
    id 1477185
    title CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhsa:tst:20140675001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhsa:tst:20140675002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhsa:tst:20140675003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhsa:tst:20140675004
    • OR
      • AND
        • comment postgresql is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728015
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728007
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728025
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728023
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728011
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728013
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728021
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728009
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728017
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-static is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728005
        • comment postgresql-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20171983026
      • AND
        • comment postgresql-test is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728019
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
      • AND
        • comment postgresql-upgrade is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728027
        • comment postgresql-upgrade is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150750037
    rhsa
    id RHSA-2017:2728
    released 2017-09-14
    severity Moderate
    title RHSA-2017:2728: postgresql security update (Moderate)
  • rhsa
    id RHSA-2017:2677
  • rhsa
    id RHSA-2017:2678
rpms
  • postgresql-0:9.2.23-1.el7_4
  • postgresql-contrib-0:9.2.23-1.el7_4
  • postgresql-devel-0:9.2.23-1.el7_4
  • postgresql-docs-0:9.2.23-1.el7_4
  • postgresql-libs-0:9.2.23-1.el7_4
  • postgresql-plperl-0:9.2.23-1.el7_4
  • postgresql-plpython-0:9.2.23-1.el7_4
  • postgresql-pltcl-0:9.2.23-1.el7_4
  • postgresql-server-0:9.2.23-1.el7_4
  • postgresql-static-0:9.2.23-1.el7_4
  • postgresql-test-0:9.2.23-1.el7_4
  • postgresql-upgrade-0:9.2.23-1.el7_4
refmap via4
bid 100275
confirm https://www.postgresql.org/about/news/1772/
debian
  • DSA-3935
  • DSA-3936
gentoo GLSA-201710-06
sectrack 1039142
Last major update 16-08-2017 - 14:29
Published 16-08-2017 - 14:29
Last modified 30-12-2017 - 21:29
Back to Top