CVE-2018-1053 – postgresql: pg_upgrade creates file of sensitive metadata under prevailing umask
https://notcve.org/view.php?id=CVE-2018-1053
In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file. En postgresql, en versiones 9.3.x anteriores a la 9.3.21, versiones 9.4.x anteriores a la 9.4.16, versiones 9.5.x anteriores a la 9.5.11, versiones 9.6.x anteriores a la 9.6.7 y en versiones 10.x anteriores a la 10.2, pg_upgrade crea archivos en el directorio de trabajo actual que contienen la salida de "pg_dumpall -g" bajo umask, que estaba en funcionamiento cuando el usuario invocó a pg_upgrade y no bajo 0077, que es el directorio que se suele emplear para otros archivos temporales. Esto puede permitir que un atacante autenticado lea o modifique un archivo que puede contener contraseñas cifradas o sin cifrar de la base de datos. • http://www.securityfocus.com/bid/102986 https://access.redhat.com/errata/RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2566 https://access.redhat.com/errata/RHSA-2018:3816 https://lists.debian.org/debian-lts-announce/2018/02/msg00006.html https://usn.ubuntu.com/3564-1 https://www.postgresql.org/about/news/1829 https://access.redhat.com/security/cve/CVE-2018-1053 https://bugzilla.redhat.com/show_bug.cgi?id=1539619 • CWE-377: Insecure Temporary File CWE-732: Incorrect Permission Assignment for Critical Resource •
CVE-2017-12172 – postgresql: Start scripts permit database administrator to modify root-owned files
https://notcve.org/view.php?id=CVE-2017-12172
PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. • http://www.securityfocus.com/bid/101949 http://www.securitytracker.com/id/1039752 https://access.redhat.com/errata/RHSA-2017:3402 https://access.redhat.com/errata/RHSA-2017:3403 https://access.redhat.com/errata/RHSA-2017:3404 https://access.redhat.com/errata/RHSA-2017:3405 https://www.postgresql.org/about/news/1801 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2017-12172 https://bugzilla.redhat.com/show_bug.cgi?id=1498394 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-15098 – postgresql: Memory disclosure in JSON functions
https://notcve.org/view.php?id=CVE-2017-15098
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory. Las llamadas de función json_populate_recordset o jsonb_populate_recordset inválidas en PostgreSQL en versiones 10.x anteriores a la 10.1; versiones 9.6.x anteriores a la 9.6.6, versiones 9.5.x anteriores a la 9.5.10; versiones 9.4.x anteriores a la 9.4.15 y versiones 9.3.x anteriores a la 9.3.20 pueden provocar el cierre inesperado del servidor o divulgar unos pocos bytes de memoria del servidor. • http://www.securityfocus.com/bid/101781 http://www.securitytracker.com/id/1039752 https://access.redhat.com/errata/RHSA-2018:2511 https://access.redhat.com/errata/RHSA-2018:2566 https://www.debian.org/security/2017/dsa-4027 https://www.debian.org/security/2017/dsa-4028 https://www.postgresql.org/about/news/1801 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2017-15098 https://bugzilla.redhat.com/show_bug.cgi?id=1508820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2017-7547 – postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
https://notcve.org/view.php?id=CVE-2017-7547
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. PostgreSQL en sus versiones anteriores a 9.2.22, 9.3.18, 9.4.13, 9.5.8 y 9.6.4 es vulnerable a un fallo de autorización que permite que los atacantes remotos autenticados recuperen contraseñas de los mapeos de usuarios definidos por los propietarios del servidor extranjero sin tener privilegios para ello. An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote, authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. • http://www.debian.org/security/2017/dsa-3935 http://www.debian.org/security/2017/dsa-3936 http://www.securityfocus.com/bid/100275 http://www.securitytracker.com/id/1039142 https://access.redhat.com/errata/RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2728 https://security.gentoo.org/glsa/201710-06 https://www.postgresql.org/about/news/1772 https://access.redhat.com/security/cve/CVE-2017-7547 https:// • CWE-522: Insufficiently Protected Credentials •
CVE-2017-7546 – postgresql: Empty password accepted in some authentication methods
https://notcve.org/view.php?id=CVE-2017-7546
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. PostgreSQL en sus versiones anteriores a 9.2.22, 9.3.18, 9.4.13, 9.5.8 y 9.6.4 es vulnerable a un fallo de autenticación incorrecta que permite que atacantes remotos obtengan acceso a cuentas de la base de datos con una contraseña vacía. It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. • http://www.debian.org/security/2017/dsa-3935 http://www.debian.org/security/2017/dsa-3936 http://www.securityfocus.com/bid/100278 http://www.securitytracker.com/id/1039142 https://access.redhat.com/errata/RHSA-2017:2677 https://access.redhat.com/errata/RHSA-2017:2678 https://access.redhat.com/errata/RHSA-2017:2728 https://access.redhat.com/errata/RHSA-2017:2860 https://security.gentoo.org/glsa/201710-06 https://www.postgresql.org/about/news/1772 https://access • CWE-287: Improper Authentication •