CVE-2017-8806 Information

Description

The Debian pg_ctlcluster pg_createcluster and pg_upgradecluster scripts as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu) handled symbolic links insecurely which could result in local denial of service by overwriting arbitrary files.

CVSS Vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog http://www.securityfocus.com/bid/101810 https://usn.ubuntu.com/usn/usn-3476-1/ https://www.debian.org/security/2017/dsa-4029

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

5.5