PostgreSQL Have Been Patch Multiple Vulnerabilities

PostgreSQL Have Been Patch Multiple Vulnerabilities

The PostgreSQL Global Development Group (PGDG) takes security seriously and they have been published many update to all supported versions of the database system, including 9.6.4, 9.5.8, 9.4.13, 9.3.18, and 9.2.22. 

There Are 3 vulnerabilities and more than 50 bugs reported in the last three months.

PostgreSQL has take security seriously by alloallowing their users to place their trust on PostgreSQL web sites and applications built . 

Those Three security vulnerabilities have been patched by the developers:
– CVE-2017-7546: Empty password accepted in some authentication methods.
– CVE-2017-7547: The “pg_user_mappings” catalogue view discloses passwords to users lacking server privileges.
– CVE-2017-7548: lo_put() function ignores ACLs.

The first vulnerability is a class “A” rating, which means that it can be exploited for privilege escalation without needing prior login.

The second vulnerability is about the passwords being leaked to unauthorized users.

“A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user.”

The third vulnerability it can be exploited by any user to modify data in a large object. The lo_put() function should need the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object.