CVE-2017-7485 — Detection of Error Condition Without Action in Postgresql Global Development Group Postgresql

CWE-390 — Detection of Error Condition Without Action CWE-311 — Missing Encryption of Sensitive Data10 documents6 sources

Severity

5.9MEDIUMNVD

EPSS

0.7%

top 27.74%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql THE Postgresql Global Development Group Postgresql

Timeline

PublishedMay 12

Latest updateMay 13

Description

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages3 packages

▶Alpinepostgresql/postgresql< 9.6.3-r0+11

▶NVDpostgresql/postgresql39 versions+38

▶CVEListV5the_postgresql_global_development_group/postgresql9.3 - 9.6

🔴Vulnerability Details

GHSA

GHSA-742m-4pjq-x8qf: In PostgreSQL 9↗2022-05-13

▶

OSV

CVE-2017-7485: In PostgreSQL 9↗2017-05-12

▶

CVEList

CVE-2017-7485: In PostgreSQL 9↗2017-05-12

▶

📋Vendor Advisories

Red Hat

postgresql: libpq ignores PGREQUIRESSL environment variable↗2017-05-11

▶

💬Community

Bugzilla

CVE-2017-7484 CVE-2017-7485 CVE-2017-7486 mingw-postgresql: various flaws [fedora-all]↗2017-05-11

▶

Bugzilla

CVE-2017-7484 CVE-2017-7485 CVE-2017-7486 postgresql: various flaws [fedora-all]↗2017-05-11

▶

Bugzilla

CVE-2017-7484 CVE-2017-7485 CVE-2017-7486 mingw-postgresql: various flaws [epel-7]↗2017-05-11

▶

Bugzilla

CVE-2017-7485 postgresql: libpq ignores PGREQUIRESSL environment variable↗2017-05-04

▶

Bugzilla

CVE-2017-2638 infinispan: auth bypass in REST api↗2017-03-02

▶