It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
| Link | Tags |
|---|---|
| http://www.securitytracker.com/id/1038476 | vdb entry |
| http://www.debian.org/security/2017/dsa-3851 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:2425 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:1678 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:1677 | vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:1983 | vendor advisory |
| https://www.postgresql.org/about/news/1746/ | vendor advisory |
| https://access.redhat.com/errata/RHSA-2017:1838 | vendor advisory |
| http://www.securityfocus.com/bid/98459 | vdb entry third party advisory |
| https://security.gentoo.org/glsa/201710-06 | vendor advisory |