CVE-2017-7486
Public on 2017-05-12
Modified on 2017-06-06
Description
It was found that the pg_user_mappings view could disclose information about user mappings to a foreign database to non-administrative database users. A database user with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 1 | postgresql92 | 2017-06-06 | ALAS-2017-838 | Fixed |
| Amazon Linux 1 | postgresql93 | 2017-06-06 | ALAS-2017-839 | Fixed |
| Amazon Linux 1 | postgresql94 | 2017-06-06 | ALAS-2017-839 | Fixed |
| Amazon Linux 1 | postgresql95 | 2017-06-06 | ALAS-2017-839 | Fixed |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
| NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |