Homepage

Link Following Affecting postgresql-server package, versions *

Severity

 Recommended
0.0
medium
0
10

Based on Red Hat Enterprise Linux security rating.

Threat Intelligence

EPSS
0.06% (29th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-RHEL6-POSTGRESQLSERVER-1363154
  • published26 Jul 2021
  • disclosed9 Nov 2017
Report a new vulnerability Found a mistake?

Introduced: 9 Nov 2017

CVE-2017-12172  (opens in a new tab)
CWE-59  (opens in a new tab)

How to fix?

There is no fixed version for RHEL:6 postgresql-server.

NVD Description

Note: Versions mentioned in the description apply only to the upstream postgresql-server package and not the postgresql-server package as distributed by RHEL. See How to fix? for RHEL:6 relevant fixed versions and status.

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.