Vulnerability Details : CVE-2017-7484
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
Vulnerability category: BypassGain privilegeInformation leak
Products affected by CVE-2017-7484
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.4.9:*:*:*:*:*:*:*
Threat overview for CVE-2017-7484
Top countries where our scanners detected CVE-2017-7484
Top open port discovered on systems with this issue
5432
IPs affected by CVE-2017-7484 143,566
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2017-7484!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2017-7484
0.45%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 72 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2017-7484
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2017-7484
-
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.Assigned by: nvd@nist.gov (Primary)
-
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2017-7484
-
http://www.securitytracker.com/id/1038476
PostgreSQL Bugs Let Remote Users Access and Modify Data in Transit and Let Remote Authenticated Users Obtain Password and Other Potentially Sensitive Information - SecurityTracker
-
https://access.redhat.com/errata/RHSA-2017:2425
RHSA-2017:2425 - Security Advisory - Red Hat Customer Portal
-
http://www.debian.org/security/2017/dsa-3851
Debian -- Security Information -- DSA-3851-1 postgresql-9.4
-
https://security.gentoo.org/glsa/201710-06
PostgreSQL: Multiple vulnerabilities (GLSA 201710-06) — Gentoo security
-
https://access.redhat.com/errata/RHSA-2017:1678
RHSA-2017:1678 - Security Advisory - Red Hat Customer Portal
-
https://www.postgresql.org/about/news/1746/
PostgreSQL: 2017-05-11 Security Update ReleaseVendor Advisory
-
https://access.redhat.com/errata/RHSA-2017:1677
RHSA-2017:1677 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2017:1838
RHSA-2017:1838 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2017:1983
RHSA-2017:1983 - Security Advisory - Red Hat Customer Portal
-
http://www.securityfocus.com/bid/98459
PostgreSQL CVE-2017-7484 Information Disclosure VulnerabilityThird Party Advisory;VDB Entry
Jump to