CVE-2017-8806 - Improper Link Resolution Before File Access ('Link Following')

Severity

36%

Complexity

39%

Confidentiality

81%

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.

CVSS 3.0 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N).

CVSS 2.0 Base Score 3.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:N/I:P/A:P).

Overview

First reported 7 years ago

2017-11-13 09:29:00

Last updated 7 years ago

2017-12-08 18:42:00

Affected Software

PostgreSQL for Debian

debian

PostgreSQL for Ubuntu

ubuntu

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Canonical Ubuntu Linux 17.04

17.04

Canonical Ubuntu Linux 17.10

17.10

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

References

http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog

Issue Tracking, Third Party Advisory

101810

Third Party Advisory, VDB Entry

https://usn.ubuntu.com/usn/usn-3476-1/

Issue Tracking, Third Party Advisory

https://www.debian.org/security/2017/dsa-4029

Issue Tracking, Third Party Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.