CVE-2017-7485

Public on 2017-06-06
Modified on 2017-06-06
Description
It was discovered that the PostgreSQL client library (libpq) did not enforce the use of TLS/SSL for a connection to a PostgreSQL server when the PGREQUIRESSL environment variable was set. An man-in-the-middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.
Severity
Medium
CVSS v3 Base Score
7.4
See breakdown

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 postgresql93 2017-06-06 16:53 ALAS-2017-839
Amazon Linux 1 postgresql94 2017-06-06 16:53 ALAS-2017-839
Amazon Linux 1 postgresql95 2017-06-06 16:53 ALAS-2017-839

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
NVD CVSSv2 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N
NVD CVSSv3 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N