|
|
|||
| Rule General Information |
|---|
| Release Date: | 2018-11-20 | |
| Rule Name: | DB-OTHER PostgreSQL Database Core Server non-libpq Client Policy Bypass Vulnerability (CVE-2017-7546) | |
| Severity: | ||
| CVE ID: | ||
| Rule Protection Details |
|---|
| Description: | A security policy bypass vulnerability has been reported in the core server component of the PostgreSQL database server. The vulnerability is due to improper authentication of user accounts with empty passwords for clients that do not use libpq. Versions prior to PostgreSQL 9.2.22, 9.3.18, 9.4.13, 9.5.8, and 9.6.4 are vulnerable. | |
| Impact: | An attacker can take advantage of the vulnerability to bypass the security policy implemented by the software administrator, and perform unauthorized actions to the target system. | |
| Affected OS: | Solaris, FreeBSD, Windows, Linux, Other Unix, Others | |
| Reference: | http://www.debian.org/security/2017/dsa-3935 http://www.debian.org/security/2017/dsa-3936 SecurityFocusBID:100278 SecurityTrackerID:1039142 https://access.redhat.com/errata/RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2728 https://access.redhat.com/errata/RHSA-2017:2860 https://security.gentoo.org/glsa/201710-06 https://www.postgresql.org/about/news/1772/ |
|
| Solutions |
|---|
| Please replace the product with an unaffected version. Upgrading to version 9.2.22, 9.3.18, 9.4.13, 9.5.8 or 9.6.4 eliminates this vulnerability. |