CVE-2017-7546
published 2017-08-16CVE-2017-7546: PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to…
PriorityP181critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
61.57%
99.1th percentile
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
Affected
83 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass is possible when a PostgreSQL account has an empty password — an attacker can authenticate successfully by sending an empty password even though libpq refuses to transmit one, meaning server-side authentication methods (e.g. md5) incorrectly accept the empty credential ↗
- →Monitor PostgreSQL authentication logs for successful logins to accounts that are believed to have password login disabled or that are configured with empty passwords; unexpected successful authentications to such accounts indicate exploitation ↗
- →The upstream fix is available at the referenced commit; patch presence/absence can be used to confirm vulnerable vs. patched state of a PostgreSQL installation ↗
- ·Vulnerability affects PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8, and 9.6.4; accounts are only exploitable if they have an empty password set in the database ↗
- ·Several authentication methods including the widely-used 'md5' method are affected; the flaw may have given a false impression that an empty password disabled the account, but it does not ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cj69-7h9j-r3j5: PostgreSQL versions before 9
ghsa_unreviewed·2022-05-13
CVE-2017-7546 [CRITICAL] CWE-287 GHSA-cj69-7h9j-r3j5: PostgreSQL versions before 9
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
OSV
CVE-2017-7546: PostgreSQL versions before 9
osv·2017-08-16·CVSS 9.8
CVE-2017-7546 [CRITICAL] CVE-2017-7546: PostgreSQL versions before 9
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
OSV
postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities
osv·2017-08-15·CVSS 9.8
CVE-2017-7546 [CRITICAL] postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities
postgresql-9.3, postgresql-9.5, postgresql-9.6 vulnerabilities
Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)
Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)
Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (CVE-2017-7548)
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2017-08-15·CVSS 9.8
CVE-2017-7546 [CRITICAL] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
Ben de Graaff, Jelte Fennema, and Jeroen van der Ham discovered that
PostgreSQL allowed the use of empty passwords in some authentication
methods, contrary to expected behaviour. A remote attacker could use an
empty password to authenticate to servers that were believed to have
password login disabled. (CVE-2017-7546)
Jeff Janes discovered that PostgreSQL incorrectly handled the
pg_user_mappings catalog view. A remote attacker without server privileges
could possibly use this issue to obtain certain passwords. (CVE-2017-7547)
Chapman Flack discovered that PostgreSQL incorrectly handled lo_put()
permissions. A remote attacker could possibly use this issue to change the
data in a large object. (C
Red Hat
postgresql: Empty password accepted in some authentication methods
vendor_redhat·2017-08-10·CVSS 9.8
CVE-2017-7546 [CRITICAL] CWE-287 postgresql: Empty password accepted in some authentication methods
postgresql: Empty password accepted in some authentication methods
PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.
It was found that authenticating to a PostgreSQL database account with an empty password was possible despite libpq's refusal to send an empty password. A remote attacker could potentially use this flaw to gain access to database accounts with empty passwords.
Statement: Red Hat Satellite 5 are is in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red H
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 mingw-postgresql: various flaws [fedora-all]
bugzilla·2017-08-10·CVSS 9.8
CVE-2017-7546 [CRITICAL] CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 mingw-postgresql: various flaws [fedora-all]
CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 mingw-postgresql: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2017-7546 CVE-2017-7547 mingw-postgresql: various flaws [epel-7]
bugzilla·2017-08-10·CVSS 9.8
CVE-2017-7546 [CRITICAL] CVE-2017-7546 CVE-2017-7547 mingw-postgresql: various flaws [epel-7]
CVE-2017-7546 CVE-2017-7547 mingw-postgresql: various flaws [epel-7]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of epel-7.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
Discussion:
Use the following template to for the 'fedpkg update
Bugzilla
CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 postgresql: various flaws [fedora-all]
bugzilla·2017-08-10·CVSS 9.8
CVE-2017-7546 [CRITICAL] CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 postgresql: various flaws [fedora-all]
CVE-2017-7546 CVE-2017-7547 CVE-2017-7548 postgresql: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versi
Bugzilla
CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
bugzilla·2017-08-01·CVSS 9.8
CVE-2017-7546 [CRITICAL] CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
CVE-2017-7546 postgresql: Empty password accepted in some authentication methods
Several authentication methods, including the widely-used "md5" method, permit empty passwords. On the client side, libpq will not send an empty password. This may have given a false impression that an empty password was equivalent to disabling the account with respect to authentication methods requiring a password. On the contrary, an attacker could easily authenticate as the user.
Supported vulnerable versions: 9.2 - 9.6
Upstream patch:
https://github.com/postgres/postgres/commit/d5d46d99ba47f
Discussion:
Acknowledgments:
Name: the PostgreSQL project
Upstream: Ben de Graaff, Jelte Fennema, Jeroen van der Ham
---
External References:
https://www.postgresql.org/about/news/1772/
---
Created mingw-po
Greynoiseio
NoiseLetter February 2026
blogs_greynoiseio
NoiseLetter February 2026
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
http://www.debian.org/security/2017/dsa-3935http://www.debian.org/security/2017/dsa-3936http://www.securityfocus.com/bid/100278http://www.securitytracker.com/id/1039142https://access.redhat.com/errata/RHSA-2017:2677https://access.redhat.com/errata/RHSA-2017:2678https://access.redhat.com/errata/RHSA-2017:2728https://access.redhat.com/errata/RHSA-2017:2860https://security.gentoo.org/glsa/201710-06https://www.postgresql.org/about/news/1772/http://www.debian.org/security/2017/dsa-3935http://www.debian.org/security/2017/dsa-3936http://www.securityfocus.com/bid/100278http://www.securitytracker.com/id/1039142https://access.redhat.com/errata/RHSA-2017:2677https://access.redhat.com/errata/RHSA-2017:2678https://access.redhat.com/errata/RHSA-2017:2728https://access.redhat.com/errata/RHSA-2017:2860https://security.gentoo.org/glsa/201710-06https://www.postgresql.org/about/news/1772/
2017-08-16
Published