SB2017060118 - Information disclosure in postgresql (Alpine package)

Description

This security bulletin contains information about 1 vulnerability.

1) Information disclosure (CVE-ID: CVE-2017-7484)

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper privilege checking before providing information from pg_statistic. A remote attacker can send a specially crafted request to bypass SELECT privilege checks, cause memory leak and steal some information from ostensibly restricted tables.

Successful exploitation of the vulnerability results in information disclosure.

Remediation

Install update from vendor's website.

References

• https://git.alpinelinux.org/aports/commit/?id=5600c80ab97b0bed725ec1c24f981a765e54593b
• https://git.alpinelinux.org/aports/commit/?id=c2110f5a7667d71596172fb142d3a573bb958c83
• https://git.alpinelinux.org/aports/commit/?id=2b95c8929982c3ff86b48ffe921cf9ddff6aeebd
• https://git.alpinelinux.org/aports/commit/?id=5f580c412de14f7329bf77293a1c8bbce8a74d48
• https://git.alpinelinux.org/aports/commit/?id=9413330e55d1431c18c7df8b66ad98cdc9d278c7
• https://git.alpinelinux.org/aports/commit/?id=a1b0125ba4bfed27de55787fb462438f34f6d51f
• https://git.alpinelinux.org/aports/commit/?id=65a4706f6e8f861c00b64188cc452941d250cf11
• https://git.alpinelinux.org/aports/commit/?id=d0be17ae8d8f3272088069ac60a286ef7749f270
• https://git.alpinelinux.org/aports/commit/?id=798e64986d80e885bfca2aa48a03160d000eea9c
• https://git.alpinelinux.org/aports/commit/?id=b450bf3980b7ea0d8f05b827cbd9e9db745f1410
• https://git.alpinelinux.org/aports/commit/?id=b89a0b6b92fee8e782b4ada572a6fefdb853bb54
• https://git.alpinelinux.org/aports/commit/?id=d116ac43af74d2460e4d17ca1a9d175b24467cb8