It was found that the pg_user_mappings view could disclose information about user mappings to a foreign database to non-administrative database users. A database user with USAGE privilege for this mapping could, when querying the view, obtain user mapping data, such as the username and password used to connect to the foreign database.
Platform | Package | Release Date | Advisory |
---|---|---|---|
Amazon Linux 1 | postgresql92 | 2017-06-06 16:53 | ALAS-2017-838 |
Amazon Linux 1 | postgresql93 | 2017-06-06 16:53 | ALAS-2017-839 |
Amazon Linux 1 | postgresql94 | 2017-06-06 16:53 | ALAS-2017-839 |
Amazon Linux 1 | postgresql95 | 2017-06-06 16:53 | ALAS-2017-839 |
Score Type | Score | Vector | |
---|---|---|---|
Amazon Linux | CVSSv3 | 6.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
NVD | CVSSv2 | 5.0 | AV:N/AC:L/Au:N/C:P/I:N/A:N |
NVD | CVSSv3 | 7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |