| VID |
25235 |
| Severity |
40 |
| Port |
5432 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The PostgreSQL server, according to its version number, has multiple vulnerabilities. PostgreSQL is a Object-Relational database management system (DBMS) that supports an extended subset of SQL.
The version of PostgreSQL installed on the remote host is 9.4.x prior to 9.4.13. It is, therefore, affected by multiple vulnerabilities :
- An authentication bypass flaw exists in that an empty password is accepted in some authentication methods. (CVE-2017-7546)
- An information disclosure vulnerability exists in the 'pg_user_mappings' catalog view that can disclose passwords to users lacking server privileges. (CVE-2017-7547)
- A flaw exists in the lo_put() function due to improper checking of permissions that leads to ignoring of ACLs. (CVE-2017-7548)
* References:
https://www.postgresql.org/about/news/1772/
https://www.postgresql.org/docs/current/static/release-9-2-22.html
https://www.postgresql.org/docs/current/static/release-9-3-18.html
https://www.postgresql.org/docs/current/static/release-9-4-13.html
https://www.postgresql.org/docs/current/static/release-9-5-8.html
https://www.postgresql.org/docs/current/static/release-9-6-4.html
* Platforms Affected:
PostgreSQL prior to 9.4.13
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PostgreSQL (9.4.13 or later), available from the PostgreSQL Web page at http://www.postgresql.org/download/ |
| Related URL |
CVE-2017-7546,CVE-2017-7547,CVE-2017-7548 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
