ALAS-2017-885 ---- postgresql94 postgresql95ID: oval:org.secpod.oval:def:1600767 | Date: (C)2017-09-21 (M)2023-12-20 |
Class: PATCH | Family: unix |
pg_user_mappings view discloses passwords to users lacking server privileges:An authorization flaw was found in the way PostgreSQL handled access to the pg_user_mappings view on foreign servers. A remote authenticated attacker could potentially use this flaw to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. Empty password accepted in some authentication methods:It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords. lo_put function ignores ACLs:An authorization flaw was found in the way PostgreSQL handled large objects. A remote authenticated attacker with no privileges on a large object could potentially use this flaw to overwrite the entire content of the object, thus resulting in denial of service
Platform: |
Amazon Linux AMI |
Product: |
postgresql94 |
postgresql95 |