#VU7873 Authentication bypass in PostgreSQL


Published: 2017-08-15

Vulnerability identifier: #VU7873

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-7546

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description
The vulnerability allows a remote attacker to bypass authentication on the target system.

The weakness exists in the systems using libpq or a libpq-based connection driver to perform password-based authentication methods due to insufficient security restrictions. A remote attacker can submit an empty password to disable password login and log in to the system.

Successful exploitation of the vulnerability may result in unauthorized access to the system and further attacks.

Mitigation
The vulnerability is addressed in the following versions: 9.2.22, 9.3.18, 9.4.13, 9.5.8, 9.6.4.

Vulnerable software versions

PostgreSQL: 9.2.1 - 9.2.21, 9.3.1 - 9.3.17, 9.4.0 - 9.4.12, 9.5.0 - 9.5.7, 9.6.0 - 9.6.3


CPE

External links
http://www.postgresql.org/about/news/1772/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability