Description
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.
References (9)
Core 9
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2728
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3936
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2678
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2017/dsa-3935
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039142
Mitigation, Vendor Advisory x_refsource_confirm
https://www.postgresql.org/about/news/1772/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-06
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100275
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2677
Scores
CVSS v3
8.8
EPSS
0.0103
EPSS Percentile
77.5%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-522
Status
published
Products (50)
postgresql/postgresql
9.2
postgresql/postgresql
9.2.1
postgresql/postgresql
9.2.2
postgresql/postgresql
9.2.3
postgresql/postgresql
9.2.4
postgresql/postgresql
9.2.5
postgresql/postgresql
9.2.6
postgresql/postgresql
9.2.7
postgresql/postgresql
9.2.8
postgresql/postgresql
9.2.9
... and 40 more
Published
Aug 16, 2017
Tracked Since
Feb 18, 2026