#VU7873 Authentication bypass in PostgreSQL


Published: 2017-08-15

Vulnerability identifier: #VU7873

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-7546

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists in the systems using libpq or a libpq-based connection driver to perform password-based authentication methods due to insufficient security restrictions. A remote attacker can submit an empty password to disable password login and log in to the system.

Successful exploitation of the vulnerability may result in unauthorized access to the system and further attacks.

Mitigation
The vulnerability is addressed in the following versions: 9.2.22, 9.3.18, 9.4.13, 9.5.8, 9.6.4.

Vulnerable software versions

PostgreSQL: 9.2.1 - 9.2.21, 9.3.1 - 9.3.17, 9.4.0 - 9.4.12, 9.5.0 - 9.5.7, 9.6.0 - 9.6.3

Fixed software versions

CPE

External links
http://www.postgresql.org/about/news/1772/

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability


openSUSE update for postgresql95
Gentoo update for PostgreSQL
Red Hat update for postgresql
Red Hat update for postgresql
Red Hat update for postgresql
OpenSUSE Linux update for postgresql94
OpenSUSE Linux update for postgresql96
Arch Linux update for postgresql
SUSE Linux update for postgresql96
SUSE Linux update for postgresql94