SSL/TLS Connection Vulnerability in PostgreSQL by PostgreSQL Global Development Group
CVE-2017-7485

5.9MEDIUM

Key Information:

Vendor

The Postgresql Global Development Group

Status
Postgresql
Vendor
CVE Published:
12 May 2017

What is CVE-2017-7485?

This vulnerability allows for the possibility of an active Man-in-the-Middle (MitM) attacker to bypass SSL/TLS protection on connections to PostgreSQL servers. The PGREQUIRESSL environment variable does not enforce a secure connection in specific versions of PostgreSQL, which could expose sensitive data to interception. It is crucial for users of affected PostgreSQL versions to apply the necessary updates to ensure that SSL/TLS connections are properly enforced and protected against potential exploits.

Affected Version(s)

PostgreSQL 9.3 - 9.6

References

http://www.securitytracker.com/id/1038476
vdb-entryx_refsource_SECTRACK
http://www.debian.org/security/2017/dsa-3851
vendor-advisoryx_refsource_DEBIAN
https://access.redhat.com/errata/RHSA-2017:2425
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.