CVE-2017-7546

Public on 2017-08-16

Modified on 2017-10-10

Description

It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.

Severity

Medium

See what this means

CVSS v3 Base Score

5.6

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	postgresql92	2017-08-31 16:20	ALAS-2017-884
Amazon Linux 1	postgresql93	2017-08-31 16:20	ALAS-2017-884
Amazon Linux 1	postgresql94	2017-08-31 16:22	ALAS-2017-885
Amazon Linux 1	postgresql95	2017-08-31 16:22	ALAS-2017-885
Amazon Linux 1	postgresql96	2017-10-06 16:51	ALAS-2017-908

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	5.6	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
NVD	CVSSv2	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
NVD	CVSSv3	9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

Red Hat: CVE-2017-7546 Mitre: CVE-2017-7546 FAQs regarding Amazon Linux ALAS/CVE Severity