#VU6894 Information disclosure in PostgreSQL


Published: 2017-06-02 | Updated: 2017-06-05

Vulnerability identifier: #VU6894

Vulnerability risk: Low

CVSSv3.1: 4.3 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7486

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper implementation of pg_user_mappings access qualifications. A remote attacker with USAGE privilege on the associated foreign server can send a specially crafted request to trigger memory leak in pg_user_mappings view and disclose foreign server passwords.

Successful exploitation of the vulnerability results in information disclosure.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 9.3.1 - 9.3.16, 9.2.1 - 9.2.20, 9.4.0 - 9.4.11, 9.5.1 - 9.5.6, 9.6.0 - 9.6.2, 9.1.1 - 9.1.23, 9.0.0 - 9.0.22, 8.4.1 - 8.4.19

External links
http://www.postgresql.org/about/news/1746/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Gentoo update for PostgreSQL
Red Hat update for rh-postgresql95-postgresql
Red Hat update for PostgreSQL
Information disclosure in postgresql (Alpine package)
Amazon Linux AMI update for postgresql92
Amazon Linux AMI update for postgresql93, postgresql94, postgresql95
Arch Linux update for postgresql
Arch Linux update for postgresql-libs
Debian update for postgresql-9.4