PT-2017-3820 · Postgresql+3 · Postgresql+3
Published
2017-05-11
·
Updated
2026-01-30
·
CVE-2017-7484
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
PostgreSQL versions prior to 9.2.21
PostgreSQL versions 9.3.x prior to 9.3.17
PostgreSQL versions 9.4.x prior to 9.4.12
PostgreSQL versions 9.5.x prior to 9.5.7
PostgreSQL versions 9.6.x prior to 9.6.3
Description
The issue is related to selectivity estimation functions in PostgreSQL that did not check user privileges before providing information from
pg statistic, potentially leaking information. An unprivileged attacker could exploit this to steal information from tables they are not allowed to access. The vulnerability allows a remote attacker to gain access to confidential data by bypassing the SELECT privilege checks.Recommendations
For versions prior to 9.2.21, update to version 9.2.21 or later.
For versions 9.3.x prior to 9.3.17, update to version 9.3.17 or later.
For versions 9.4.x prior to 9.4.12, update to version 9.4.12 or later.
For versions 9.5.x prior to 9.5.7, update to version 9.5.7 or later.
For versions 9.6.x prior to 9.6.3, update to version 9.6.3 or later.
Fix
Improper Authorization
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Centos
Postgresql
Red Hat
Suse