CVE-2017-7484 in PostgreSQL
Summary
by MITRE
It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 09/07/2025
This vulnerability in PostgreSQL represents a significant information disclosure flaw that undermines the database's privilege enforcement mechanisms. The issue affects multiple major version lines including 9.2 through 9.6, with specific patched versions outlined in the advisory. The vulnerability stems from insufficient privilege checking within selectivity estimation functions that are used by the query planner to estimate result set sizes. These functions, which are critical for query optimization, were designed to access pg_statistic system tables containing statistical information about database objects. When these functions failed to verify whether the requesting user possessed adequate privileges before accessing pg_statistic data, they created an avenue for unauthorized information retrieval.
The technical flaw manifests in how PostgreSQL's query planner operates during query execution. When estimating the selectivity of conditions, the system relies on statistical data stored in pg_statistic tables to determine optimal execution plans. However, the selectivity estimation functions did not properly validate user permissions before accessing this statistical information. This oversight allowed attackers to leverage these estimation functions as a means to indirectly access statistical data from tables they normally couldn't view, effectively bypassing standard access controls. The vulnerability is particularly concerning because it operates at the query planning level, meaning it can be exploited without direct database access or explicit table queries.
The operational impact of this vulnerability extends beyond simple information disclosure, as it fundamentally compromises database security boundaries. An unprivileged user could potentially reconstruct sensitive information about database structures, data distributions, and access patterns by analyzing the statistical data leaked through these functions. This information could then be used to craft more sophisticated attacks or to understand the database's internal structure and data characteristics. The vulnerability affects the principle of least privilege enforcement, where users should only access data they have explicit permission to view. From an attacker's perspective, this represents a stealthy method of reconnaissance that doesn't trigger typical access logging mechanisms, making detection more difficult.
Security practitioners should prioritize patching affected PostgreSQL installations to address this vulnerability, as it represents a clear violation of database security principles. The mitigation strategy involves upgrading to the patched versions specified in the advisory, which implement proper privilege checking in the selectivity estimation functions. Organizations should also conduct thorough security assessments to identify any potential exploitation attempts that may have occurred before patching. The vulnerability aligns with CWE-200 (Information Exposure) and represents a specific case of privilege escalation through information leakage. From an ATT&CK framework perspective, this maps to T1083 (File and Directory Discovery) and T1069.003 (Unsecured Credentials) as it enables attackers to gather information about database objects and potentially extract sensitive data patterns. Database administrators should also consider implementing additional monitoring for unusual query planning activities that might indicate exploitation attempts.