7.2

CVE-2017-12172

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.

Data is provided by the National Vulnerability Database (NVD)
PostgresqlPostgresql Version9.2
PostgresqlPostgresql Version9.2.1
PostgresqlPostgresql Version9.2.2
PostgresqlPostgresql Version9.2.3
PostgresqlPostgresql Version9.2.4
PostgresqlPostgresql Version9.2.5
PostgresqlPostgresql Version9.2.6
PostgresqlPostgresql Version9.2.7
PostgresqlPostgresql Version9.2.8
PostgresqlPostgresql Version9.2.9
PostgresqlPostgresql Version9.2.10
PostgresqlPostgresql Version9.2.11
PostgresqlPostgresql Version9.2.12
PostgresqlPostgresql Version9.2.13
PostgresqlPostgresql Version9.2.14
PostgresqlPostgresql Version9.2.15
PostgresqlPostgresql Version9.2.16
PostgresqlPostgresql Version9.2.17
PostgresqlPostgresql Version9.2.18
PostgresqlPostgresql Version9.2.19
PostgresqlPostgresql Version9.2.20
PostgresqlPostgresql Version9.2.21
PostgresqlPostgresql Version9.2.22
PostgresqlPostgresql Version9.2.23
PostgresqlPostgresql Version9.3
PostgresqlPostgresql Version9.3.1
PostgresqlPostgresql Version9.3.2
PostgresqlPostgresql Version9.3.3
PostgresqlPostgresql Version9.3.4
PostgresqlPostgresql Version9.3.5
PostgresqlPostgresql Version9.3.6
PostgresqlPostgresql Version9.3.7
PostgresqlPostgresql Version9.3.8
PostgresqlPostgresql Version9.3.9
PostgresqlPostgresql Version9.3.10
PostgresqlPostgresql Version9.3.11
PostgresqlPostgresql Version9.3.12
PostgresqlPostgresql Version9.3.13
PostgresqlPostgresql Version9.3.14
PostgresqlPostgresql Version9.3.15
PostgresqlPostgresql Version9.3.16
PostgresqlPostgresql Version9.3.17
PostgresqlPostgresql Version9.3.18
PostgresqlPostgresql Version9.3.19
PostgresqlPostgresql Version9.4
PostgresqlPostgresql Version9.4.1
PostgresqlPostgresql Version9.4.2
PostgresqlPostgresql Version9.4.3
PostgresqlPostgresql Version9.4.4
PostgresqlPostgresql Version9.4.5
PostgresqlPostgresql Version9.4.6
PostgresqlPostgresql Version9.4.7
PostgresqlPostgresql Version9.4.8
PostgresqlPostgresql Version9.4.9
PostgresqlPostgresql Version9.4.10
PostgresqlPostgresql Version9.4.11
PostgresqlPostgresql Version9.4.12
PostgresqlPostgresql Version9.4.13
PostgresqlPostgresql Version9.4.14
PostgresqlPostgresql Version9.5
PostgresqlPostgresql Version9.5.1
PostgresqlPostgresql Version9.5.2
PostgresqlPostgresql Version9.5.3
PostgresqlPostgresql Version9.5.4
PostgresqlPostgresql Version9.5.5
PostgresqlPostgresql Version9.5.6
PostgresqlPostgresql Version9.5.7
PostgresqlPostgresql Version9.5.8
PostgresqlPostgresql Version9.5.9
PostgresqlPostgresql Version9.6
PostgresqlPostgresql Version9.6.1
PostgresqlPostgresql Version9.6.2
PostgresqlPostgresql Version9.6.3
PostgresqlPostgresql Version9.6.4
PostgresqlPostgresql Version9.6.5
PostgresqlPostgresql Version10
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.05% 0.137
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.7 0.8 5.9
CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.2 3.9 10
AV:L/AC:L/Au:N/C:C/I:C/A:C
CWE-59 Improper Link Resolution Before File Access ('Link Following')

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

http://www.securitytracker.com/id/1039752
Third Party Advisory
VDB Entry
https://www.postgresql.org/about/news/1801/
Vendor Advisory
Issue Tracking
https://www.postgresql.org/support/security/
Vendor Advisory
Issue Tracking
http://www.securityfocus.com/bid/101949
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:3402
Third Party Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2017:3403
Third Party Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2017:3404
Third Party Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2017:3405
Third Party Advisory
Issue Tracking