Description
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
References (10)
Core 10
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2728
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3936
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2678
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2860
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100278
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3935
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039142
Vendor Advisory x_refsource_confirm
https://www.postgresql.org/about/news/1772/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-06
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2677
Scores
CVSS v3
9.8
EPSS
0.3312
EPSS Percentile
97.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (50)
debian/debian_linux
9.0
postgresql/postgresql
9.2
postgresql/postgresql
9.2.1
postgresql/postgresql
9.2.2
postgresql/postgresql
9.2.3
postgresql/postgresql
9.2.4
postgresql/postgresql
9.2.5
postgresql/postgresql
9.2.6
postgresql/postgresql
9.2.7
postgresql/postgresql
9.2.8
... and 40 more
Published
Aug 16, 2017
Tracked Since
Feb 18, 2026