Information disclosure in PostgreSQL - CVE-2017-7484
Published: June 2, 2017 / Updated: June 5, 2017
Vulnerability identifier: #VU6892
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-7484
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: PostgreSQL Global Development Group
Affected software:
PostgreSQL
PostgreSQL
Detailed vulnerability description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper privilege checking before providing information from pg_statistic. A remote attacker can send a specially crafted request to bypass SELECT privilege checks, cause memory leak and steal some information from ostensibly restricted tables.
Successful exploitation of the vulnerability results in information disclosure.
The weakness exists due to improper privilege checking before providing information from pg_statistic. A remote attacker can send a specially crafted request to bypass SELECT privilege checks, cause memory leak and steal some information from ostensibly restricted tables.
Successful exploitation of the vulnerability results in information disclosure.
How to mitigate CVE-2017-7484
Update to versions 9.2.21, 9.3.17, 9.4.12, 9.5.7, 9.6.3.