Remote Code Execution Vulnerability in PostgreSQL by Vendor PostgreSQL
CVE-2017-12172
Summary
PostgreSQL versions 10.x prior to 10.1 and various 9.x versions are susceptible to a remote code execution vulnerability. The issue arises when PostgreSQL runs under a non-root operation account and database superusers are granted the ability to execute arbitrary code. This vulnerability is exploitative in nature, as attackers could potentially escalate their privileges to root level. The root of the problem lies in the handling of log file names, which database superusers may replace with symbolic links that the system executes as root upon starting the server. This configuration creates a loophole that can be abused, underscoring the importance of applying timely updates and utilizing stringent security practices.
Affected Version(s)
postgresql 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, 9.2.x before 9.2.24
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved