VDB

GCVE-VVD-MAGEIA-2017-316

GCVE-VVD-MAGEIA-2017-316
Advisory Published
Vulnetix · Advisory published August 28, 2017
libpq, and by extension any connection driver that utilizes libpq, ignores empty passwords and does not transmit them to the server. When using libpq or a libpq-based connection driver to perform password-based authentication methods, it would appear that setting an empty password would be the equivalent of disabling password login. However, using a non-libpq based connection driver could allow a client with an empty password to log in (CVE-2017-7546). A user had access to see the options in pg_user_mappings even if the user did not have the USAGE permission on the associated foreign server. This meant that a user could see details such as a password that might have been set by the server administrator rather than the user (CVE-2017-7547). The lo_put() function should require the same permissions as lowrite(), but there was a missing permission check which would allow any user to change the data in a large object (CVE-2017-7548). Note: the CVE-2017-7547 issue requires manual intervention to fix on affected systems. See the references for details.

Affected Products

VendorProductVersionsPlatforms
Mageiapostgresql9.40 (affected), 9.4.13-1.mga6 (unaffected)
Mageiapostgresql9.30 (affected), 9.3.18-1.mga5 (unaffected)
Mageiapostgresql9.60 (affected), 9.6.4-1.mga6 (unaffected)
Mageiapostgresql9.40 (affected), 9.4.13-1.mga5 (unaffected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›