7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.28 Low
EPSS
Percentile
96.9%
Severity: High
Date : 2017-09-06
CVE-ID : CVE-2017-7546 CVE-2017-7547 CVE-2017-7548
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-381
The package postgresql before version 9.6.4-1 is vulnerable to multiple
issues including information disclosure, access restriction bypass and
authentication bypass.
Upgrade to 9.6.4-1.
The problems have been fixed upstream in version 9.6.4.
None.
It was found that authenticating to a PostgreSQL database account with
an empty password was possible despite libpq’s refusal to send an empty
password. A remote attacker could potentially use this flaw to gain
access to database accounts with empty passwords.
An authorization flaw was found in the way PostgreSQL handled access to
the pg_user_mappings view on foreign servers. A remote authenticated
attacker could potentially use this flaw to retrieve passwords from the
user mappings defined by the foreign server owners without actually
having the privileges to do so.
An authorization flaw was found in the way PostgreSQL handled large
objects. A remote authenticated attacker with no privileges on a large
object could potentially use this flaw to overwrite the entire content
of the object, thus resulting in denial of service.
A remote unauthenticated attacker is be able to gain access to database
accounts with empty passwords. Additionally a remote authenticated user
may be able to perform a denial of service attack or retrieve passwords
from the user mappings.
https://www.postgresql.org/about/news/1772/
https://github.com/postgres/postgres/commit/d5d46d99ba47f
https://github.com/postgres/postgres/commit/b6e39ca92eeee4
https://github.com/postgres/postgres/commit/f1cda6d6cbb2
https://security.archlinux.org/CVE-2017-7546
https://security.archlinux.org/CVE-2017-7547
https://security.archlinux.org/CVE-2017-7548
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | postgresql | < 9.6.4-1 | UNKNOWN |
github.com/postgres/postgres/commit/b6e39ca92eeee4
github.com/postgres/postgres/commit/d5d46d99ba47f
github.com/postgres/postgres/commit/f1cda6d6cbb2
security.archlinux.org/AVG-381
security.archlinux.org/CVE-2017-7546
security.archlinux.org/CVE-2017-7547
security.archlinux.org/CVE-2017-7548
www.postgresql.org/about/news/1772/
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
0.28 Low
EPSS
Percentile
96.9%