Korean
<< Back
VID 25233
Severity 40
Port 5432
Protocol TCP
Class DB
Detailed Description The PostgreSQL server, according to its version number, has multiple vulnerabilities. PostgreSQL is a Object-Relational database management system (DBMS) that supports an extended subset of SQL.

The version of PostgreSQL installed on the remote host is 9.2.x prior to 9.2.22. It is, therefore, affected by multiple vulnerabilities :

- An authentication bypass flaw exists in that an empty password is accepted in some authentication methods. (CVE-2017-7546)

- An information disclosure vulnerability exists in the 'pg_user_mappings' catalog view that can disclose passwords to users lacking server privileges. (CVE-2017-7547)

- A flaw exists in the lo_put() function due to improper checking of permissions that leads to ignoring of ACLs. (CVE-2017-7548)

* References:
https://www.postgresql.org/about/news/1772/
https://www.postgresql.org/docs/current/static/release-9-2-22.html
https://www.postgresql.org/docs/current/static/release-9-3-18.html
https://www.postgresql.org/docs/current/static/release-9-4-13.html
https://www.postgresql.org/docs/current/static/release-9-5-8.html
https://www.postgresql.org/docs/current/static/release-9-6-4.html

* Platforms Affected:
PostgreSQL prior to 9.2.22
Any operating system Any version
Recommendation Upgrade to the latest version of PostgreSQL (9.2.22 or later), available from the PostgreSQL Web page at http://www.postgresql.org/download/
Related URL CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 (CVE)
Related URL (SecurityFocus)
Related URL (ISS)