ID CVE-2017-7547
Summary PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
References
Vulnerable Configurations
  • cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.14:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.14:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.15:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.15:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.16:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.16:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.17:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.17:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.18:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.18:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.19:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.19:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.20:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.20:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.2.21:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.2.21:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.13:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.13:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.14:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.14:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.15:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.15:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.16:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.16:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.3.17:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.3.17:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.4.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.4.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.1.:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.1.:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.5.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.5.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.6.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:9.6.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:9.6.3:*:*:*:*:*:*:*
CVSS
Base: 4.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE NONE
cvss-vector via4 AV:N/AC:L/Au:S/C:P/I:N/A:N
redhat via4
advisories
  • bugzilla
    id 1477185
    title CVE-2017-7547 postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
    oval
    AND
    • OR
      • comment Red Hat Enterprise Linux 7 Client is installed
        oval oval:com.redhat.rhba:tst:20150364001
      • comment Red Hat Enterprise Linux 7 Server is installed
        oval oval:com.redhat.rhba:tst:20150364002
      • comment Red Hat Enterprise Linux 7 Workstation is installed
        oval oval:com.redhat.rhba:tst:20150364003
      • comment Red Hat Enterprise Linux 7 ComputeNode is installed
        oval oval:com.redhat.rhba:tst:20150364004
    • OR
      • AND
        • comment postgresql is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728015
        • comment postgresql is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908006
      • AND
        • comment postgresql-contrib is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728007
        • comment postgresql-contrib is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908014
      • AND
        • comment postgresql-devel is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728025
        • comment postgresql-devel is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908010
      • AND
        • comment postgresql-docs is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728023
        • comment postgresql-docs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908016
      • AND
        • comment postgresql-libs is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728011
        • comment postgresql-libs is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908024
      • AND
        • comment postgresql-plperl is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728013
        • comment postgresql-plperl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908022
      • AND
        • comment postgresql-plpython is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728021
        • comment postgresql-plpython is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908018
      • AND
        • comment postgresql-pltcl is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728009
        • comment postgresql-pltcl is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908020
      • AND
        • comment postgresql-server is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728017
        • comment postgresql-server is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908012
      • AND
        • comment postgresql-static is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728005
        • comment postgresql-static is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20171983026
      • AND
        • comment postgresql-test is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728019
        • comment postgresql-test is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20100908008
      • AND
        • comment postgresql-upgrade is earlier than 0:9.2.23-1.el7_4
          oval oval:com.redhat.rhsa:tst:20172728027
        • comment postgresql-upgrade is signed with Red Hat redhatrelease2 key
          oval oval:com.redhat.rhsa:tst:20150750037
    rhsa
    id RHSA-2017:2728
    released 2017-09-14
    severity Moderate
    title RHSA-2017:2728: postgresql security update (Moderate)
  • rhsa
    id RHSA-2017:2677
  • rhsa
    id RHSA-2017:2678
rpms
  • postgresql-0:9.2.23-1.el7_4
  • postgresql-contrib-0:9.2.23-1.el7_4
  • postgresql-devel-0:9.2.23-1.el7_4
  • postgresql-docs-0:9.2.23-1.el7_4
  • postgresql-libs-0:9.2.23-1.el7_4
  • postgresql-plperl-0:9.2.23-1.el7_4
  • postgresql-plpython-0:9.2.23-1.el7_4
  • postgresql-pltcl-0:9.2.23-1.el7_4
  • postgresql-server-0:9.2.23-1.el7_4
  • postgresql-static-0:9.2.23-1.el7_4
  • postgresql-test-0:9.2.23-1.el7_4
  • postgresql-upgrade-0:9.2.23-1.el7_4
refmap via4
bid 100275
confirm https://www.postgresql.org/about/news/1772/
debian
  • DSA-3935
  • DSA-3936
gentoo GLSA-201710-06
sectrack 1039142
Last major update 03-10-2019 - 00:03
Published 16-08-2017 - 18:29
Back to Top