CVE-2017-7484: Infoleak
First published: Thu May 04 2017(Updated: )
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <9.2.21 | 9.2.21 |
| redhat/postgresql | <9.3.17 | 9.3.17 |
| redhat/postgresql | <9.4.12 | 9.4.12 |
| redhat/postgresql | <9.5.7 | 9.5.7 |
| redhat/postgresql | <9.6.3 | 9.6.3 |
| PostgreSQL Common | <=9.2.20 | |
| PostgreSQL Common | =9.3 | |
| PostgreSQL Common | =9.3.1 | |
| PostgreSQL Common | =9.3.2 | |
| PostgreSQL Common | =9.3.3 | |
| PostgreSQL Common | =9.3.4 | |
| PostgreSQL Common | =9.3.5 | |
| PostgreSQL Common | =9.3.6 | |
| PostgreSQL Common | =9.3.7 | |
| PostgreSQL Common | =9.3.8 | |
| PostgreSQL Common | =9.3.9 | |
| PostgreSQL Common | =9.3.10 | |
| PostgreSQL Common | =9.3.11 | |
| PostgreSQL Common | =9.3.12 | |
| PostgreSQL Common | =9.3.13 | |
| PostgreSQL Common | =9.3.14 | |
| PostgreSQL Common | =9.3.15 | |
| PostgreSQL Common | =9.3.16 | |
| PostgreSQL Common | =9.4 | |
| PostgreSQL Common | =9.4.1 | |
| PostgreSQL Common | =9.4.2 | |
| PostgreSQL Common | =9.4.3 | |
| PostgreSQL Common | =9.4.4 | |
| PostgreSQL Common | =9.4.5 | |
| PostgreSQL Common | =9.4.6 | |
| PostgreSQL Common | =9.4.7 | |
| PostgreSQL Common | =9.4.8 | |
| PostgreSQL Common | =9.4.9 | |
| PostgreSQL Common | =9.4.10 | |
| PostgreSQL Common | =9.4.11 | |
| PostgreSQL Common | =9.5 | |
| PostgreSQL Common | =9.5.1 | |
| PostgreSQL Common | =9.5.2 | |
| PostgreSQL Common | =9.5.3 | |
| PostgreSQL Common | =9.5.4 | |
| PostgreSQL Common | =9.5.5 | |
| PostgreSQL Common | =9.5.6 | |
| PostgreSQL Common | =9.6 | |
| PostgreSQL Common | =9.6.1 | |
| PostgreSQL Common | =9.6.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.debian.org/security/2017/dsa-3851
- http://www.securityfocus.com/bid/98459
- http://www.securitytracker.com/id/1038476
- https://access.redhat.com/errata/RHSA-2017:1677
- https://access.redhat.com/errata/RHSA-2017:1678
- https://access.redhat.com/errata/RHSA-2017:1838
- https://access.redhat.com/errata/RHSA-2017:1983
- https://access.redhat.com/errata/RHSA-2017:2425
- https://security.gentoo.org/glsa/201710-06
- https://www.postgresql.org/about/news/1746/
- https://github.com/postgres/postgres/commit/e2d4ef8de
- https://github.com/postgres/postgres/commit/b6576e59
- https://github.com/postgres/postgres/commit/da075960
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1450116
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1450117
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1450115
- https://bugzilla.redhat.com/show_bug.cgi?id=1448078
Frequently Asked Questions
What is the severity of CVE-2017-7484?
CVE-2017-7484 has been classified as a medium severity vulnerability due to the potential for information leakage.
How do I fix CVE-2017-7484?
To fix CVE-2017-7484, upgrade PostgreSQL to version 9.2.21 or higher, 9.3.17 or higher, 9.4.12 or higher, 9.5.7 or higher, or 9.6.3 or higher.
What versions of PostgreSQL are affected by CVE-2017-7484?
PostgreSQL versions before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 are affected by CVE-2017-7484.
What type of vulnerability is CVE-2017-7484?
CVE-2017-7484 is an information disclosure vulnerability that can result from improper checks on user privileges.
Can unprivileged users exploit CVE-2017-7484?
Yes, unprivileged users could exploit CVE-2017-7484 to access sensitive information from pg_statistic.
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7484
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/weakness
- agent/author
- agent/description
- agent/event
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql common
- version/postgresql common/9.2.20
- version/postgresql common/9.3
- version/postgresql common/9.3.1
- version/postgresql common/9.3.2
- version/postgresql common/9.3.3
- version/postgresql common/9.3.4
- version/postgresql common/9.3.5
- version/postgresql common/9.3.6
- version/postgresql common/9.3.7
- version/postgresql common/9.3.8
- version/postgresql common/9.3.9
- version/postgresql common/9.3.10
- version/postgresql common/9.3.11
- version/postgresql common/9.3.12
- version/postgresql common/9.3.13
- version/postgresql common/9.3.14
- version/postgresql common/9.3.15
- version/postgresql common/9.3.16
- version/postgresql common/9.4
- version/postgresql common/9.4.1
- version/postgresql common/9.4.2
- version/postgresql common/9.4.3
- version/postgresql common/9.4.4
- version/postgresql common/9.4.5
- version/postgresql common/9.4.6
- version/postgresql common/9.4.7
- version/postgresql common/9.4.8
- version/postgresql common/9.4.9
- version/postgresql common/9.4.10
- version/postgresql common/9.4.11
- version/postgresql common/9.5
- version/postgresql common/9.5.1
- version/postgresql common/9.5.2
- version/postgresql common/9.5.3
- version/postgresql common/9.5.4
- version/postgresql common/9.5.5
- version/postgresql common/9.5.6
- version/postgresql common/9.6
- version/postgresql common/9.6.1
- version/postgresql common/9.6.2