CVE-2017-7484
Published: 12 May 2017
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-10 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Not vulnerable
(10.1-1)
|
|
| cosmic |
Not vulnerable
(10.1-1)
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
(trusty was needed)
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Released
(9.3.17-0ubuntu0.14.04)
|
|
| upstream |
Needed
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.5.7)
|
|
| xenial |
Released
(9.5.7-0ubuntu0.16.04)
|
|
| yakkety |
Ignored
(end of life)
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.6 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(9.6.4-1)
|
| bionic |
Does not exist
|
|
| cosmic |
Does not exist
|
|
| disco |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.6.3)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Released
(9.6.3-0ubuntu0.17.04)
|
|
|
Patches: upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=c33c42362256382ed398df9dcda559cd547c68a7 upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cad15943225adbcadea51602b38b04d71d1183d2 upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=935e77d527a018b652f247c7374c558871210db6 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |