Skip to content Skip to sidebar Skip to footer

Postgresql Convey Been Piece Multiple Vulnerabilities

PostgreSQL Have Been Patch Multiple Vulnerabilities

The PostgreSQL Global Development Group (PGDG) takes safety seriously too they direct maintain been published many update to all supported versions of the database system, including 9.6.4, 9.5.8, 9.4.13, 9.3.18, too 9.2.22. 

There Are 3 vulnerabilities too to a greater extent than than 50 bugs reported inwards the final 3 months.

PostgreSQL has convey safety seriously past times alloallowing their users to house their trust on PostgreSQL spider web sites too applications built . 

Those Three safety vulnerabilities direct maintain been patched past times the developers:
– CVE-2017-7546: Empty password accepted inwards simply about authentication methods.
– CVE-2017-7547: The “pg_user_mappings” catalogue thought discloses passwords to users lacking server privileges.
– CVE-2017-7548: lo_put() constituent ignores ACLs.

The commencement vulnerability is a course of study “A” rating, which agency that it tin live on exploited for privilege escalation without needing prior login.

The minute vulnerability is almost the passwords beingness leaked to unauthorized users.

“A user had access to encounter the options inwards pg_user_mappings fifty-fifty if the user did non direct maintain the USAGE permission on the associated unusual server. This meant that a user could encounter details such equally a password that mightiness direct maintain been prepare past times the server administrator rather than the user.”

The 3rd vulnerability it tin live on exploited past times whatever user to modify information inwards a large object. The lo_put() constituent should necessitate the same permissions equally lowrite(), but in that place was a missing permission cheque which would let whatever user to modify the information inwards a large object.