CVE-2017-7547

HIGH

PostgreSQL <9.2.22-9.6.4 - Privilege Escalation

Title source: llm

Description

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.

References (9)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/100275

[Third Party Advisory, VDB Entry] http://www.securitytracker.com/id/1039142

[Mitigation, Vendor Advisory] https://www.postgresql.org/about/news/1772/

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3935

[Third Party Advisory] http://www.debian.org/security/2017/dsa-3936

[Third Party Advisory] https://security.gentoo.org/glsa/201710-06

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2677

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2678

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2017:2728

Scores

CVSS v3 8.8

EPSS 0.0111

EPSS Percentile 77.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-522

Status draft

Affected Products (50)

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

postgresql/postgresql

... and 35 more

Timeline

Published Aug 16, 2017

Tracked Since Feb 18, 2026