PT-2017-3884 · Postgresql+3 · Postgresql+3

Andrew Wheelwright

Published

2017-05-11

Updated

2026-01-30

CVE-2017-7486

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 8.4 through 9.6

Description The issue is related to insufficient protection of registration data in the pg user mappings component of the PostgreSQL database management system. This can be exploited by a remote attacker with USAGE privileges to gain access to the credentials of a third-party server. The pg user mappings view leaks foreign server passwords to any user with USAGE privilege on the associated foreign server.

Recommendations For PostgreSQL versions 8.4 through 9.6, restrict access to the pg user mappings view to minimize the risk of exploitation. As a temporary workaround, consider revoking USAGE privileges on foreign servers from untrusted users until a patch is available.

Fix

Insufficiently Protected Credentials

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-522CWE-200

Related Identifiers

BDU:2019-04175

CESA-2017_1983

CLEANSTART-2026-FW42039

CLEANSTART-2026-HJ04971

CVE-2017-7486

DLA-1051-1

DSA-3851-1

MGASA-2017-0230

RHSA-2017:1677

RHSA-2017:1678

RHSA-2017:1838

RHSA-2017:1983

RHSA-2017:2425

RHSA-2017_1983

SUSE-SU-2017:1441-1

SUSE-SU-2017:1690-1

SUSE-SU-2017:1783-1

Affected Products

Centos

Postgresql

Red Hat

Suse

PT-2017-3884 · Postgresql+3 · Postgresql+3

CVE-2017-7486

Weakness Enumeration

Related Identifiers

Affected Products

References · 121