7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0.008 Low
EPSS
Percentile
81.2%
The startup log file for the postmaster (in newer releases, “postgres”) process was opened while the process was still owned by root. With this setup, the database owner could specify a file that they did not have access to and cause the file to be corrupted with logged data (CVE-2017-12172). Crash due to rowtype mismatch in json{b}_populate_recordset(). These functions used the result rowtype specified in the FROM … AS clause without checking that it matched the actual rowtype of the supplied tuple value. If it didn’t, that would usually result in a crash, though disclosure of server memory contents seems possible as well (CVE-2017-15098). The “INSERT … ON CONFLICT DO UPDATE” would not check to see if the executing user had permission to perform a “SELECT” on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the “INSERT … ON CONFLICT DO UPDATE” would not check the SELECT policies for that table before performing the update (CVE-2017-15099).
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Mageia | 5 | noarch | postgresql9.3 | < 9.3.20-1 | postgresql9.3-9.3.20-1.mga5 |
Mageia | 5 | noarch | postgresql9.4 | < 9.4.15-1 | postgresql9.4-9.4.15-1.mga5 |
Mageia | 6 | noarch | postgresql9.4 | < 9.4.15-1 | postgresql9.4-9.4.15-1.mga6 |
Mageia | 6 | noarch | postgresql9.6 | < 9.6.6-1 | postgresql9.6-9.6.6-1.mga6 |
bugs.mageia.org/show_bug.cgi?id=22002
www.debian.org/security/2017/dsa-4027
www.debian.org/security/2017/dsa-4028
www.postgresql.org/about/news/1801/
www.postgresql.org/docs/9.3/static/release-9-3-20.html
www.postgresql.org/docs/9.4/static/release-9-4-15.html
www.postgresql.org/docs/9.6/static/release-9-6-6.html
7.2 High
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
0.008 Low
EPSS
Percentile
81.2%