ALAS-2017-839 ---- postgresql93 postgresql94 postgresql95ID: oval:org.secpod.oval:def:1600707 | Date: (C)2017-06-07 (M)2023-02-06 |
Class: PATCH | Family: unix |
Selectivity estimators bypass SELECT privilege checksIt was found that some selectivity estimation functions did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. libpq ignores PGREQUIRESSL environment variableIt was found that the PGREQUIRESSL was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. pg_user_mappings view discloses foreign server passwordsIt was found that the pg_user_mappings view from postgresql could disclose information about user mappings to a foreign database to unprivileged users. An authenticated attacker with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database
Platform: |
Amazon Linux AMI |
Product: |
postgresql93 |
postgresql94 |
postgresql95 |