Information Disclosure Vulnerability in PostgreSQL by PostgreSQL Global Development Group
CVE-2017-7484

7.5HIGH

Key Information:

Vendor

The Postgresql Global Development Group

Status
Postgresql
Vendor
CVE Published:
12 May 2017

What is CVE-2017-7484?

Certain selectivity estimation functions in PostgreSQL prior to specific versions fail to verify user privileges before disclosing data from pg_statistic. This oversight can be exploited by an unauthorized attacker to glean sensitive information from tables they are not permitted to access. Such vulnerabilities underline the importance of stringent access controls within database management systems.

Affected Version(s)

PostgreSQL 9.2 - 9.6

References

http://www.securitytracker.com/id/1038476
vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2017/dsa-3851
vendor-advisoryx_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:2425
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.