VDB
GCVE-VVD-MAGEIA-2017-316
GCVE-VVD-MAGEIA-2017-316
Advisory Published
libpq, and by extension any connection driver that utilizes libpq,
ignores empty passwords and does not transmit them to the server. When
using libpq or a libpq-based connection driver to perform password-based
authentication methods, it would appear that setting an empty password
would be the equivalent of disabling password login. However, using a
non-libpq based connection driver could allow a client with an empty
password to log in (CVE-2017-7546).
A user had access to see the options in pg_user_mappings even if the
user did not have the USAGE permission on the associated foreign server.
This meant that a user could see details such as a password that might
have been set by the server administrator rather than the user
(CVE-2017-7547).
The lo_put() function should require the same permissions as lowrite(),
but there was a missing permission check which would allow any user to
change the data in a large object (CVE-2017-7548).
Note: the CVE-2017-7547 issue requires manual intervention to fix on
affected systems. See the references for details.
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| Mageia | postgresql9.4 | 0 (affected), 9.4.13-1.mga6 (unaffected) | — |
| Mageia | postgresql9.3 | 0 (affected), 9.3.18-1.mga5 (unaffected) | — |
| Mageia | postgresql9.6 | 0 (affected), 9.6.4-1.mga6 (unaffected) | — |
| Mageia | postgresql9.4 | 0 (affected), 9.4.13-1.mga5 (unaffected) | — |
References
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.