CVE-2017-8806 - Vulnerability Details - OpenCVE

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.0016.

Key SSVC decision points have not yet been added.

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Postgresql	Postgresql

Configuration 1 [-]

AND

cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:*:*:*

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:17.04:::::::*
	cpe:2.3:o:canonical:ubuntu_linux:17.10:::::::*
	cpe:2.3:o:debian:debian_linux:8.0:::::::*
	cpe:2.3:o:debian:debian_linux:9.0:::::::*

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-1169-1	postgresql-common security update
Debian DSA	DSA-4029-1	postgresql-common security update
Ubuntu USN	USN-3476-1	postgresql-common vulnerabilities
Ubuntu USN	USN-3476-2	postgresql-common vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog
http://www.securityfocus.com/bid/101810
https://usn.ubuntu.com/usn/usn-3476-1/
https://www.debian.org/security/2017/dsa-4029

History

Sun, 13 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00252}`	epss `{'score': 0.00228}`

MITRE

Status: PUBLISHED

Assigner: debian

Published: 2017-11-13T09:00:00

Updated: 2024-08-05T16:48:21.905Z

Reserved: 2017-05-07T00:00:00

Link: CVE-2017-8806

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-11-13T09:29:00.403

Modified: 2025-04-20T01:37:25.860

Link: CVE-2017-8806

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "PostgreSQL-related scripts that are specific to Debian and Ubuntu", "vendor": "n/a", "versions": [{"status": "affected", "version": "PostgreSQL-related scripts that are specific to Debian and Ubuntu"}]}], "datePublic": "2017-11-13T00:00:00", "descriptions": [{"lang": "en", "value": "The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files."}], "problemTypes": [{"descriptions": [{"description": "handled symbolic links insecurely", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-11-16T10:57:01", "orgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "shortName": "debian"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"}, {"name": "101810", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/101810"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://usn.ubuntu.com/usn/usn-3476-1/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.debian.org/security/2017/dsa-4029"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@debian.org", "ID": "CVE-2017-8806", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "PostgreSQL-related scripts that are specific to Debian and Ubuntu", "version": {"version_data": [{"version_value": "PostgreSQL-related scripts that are specific to Debian and Ubuntu"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "handled symbolic links insecurely"}]}]}, "references": {"reference_data": [{"name": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog", "refsource": "CONFIRM", "url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"}, {"name": "101810", "refsource": "BID", "url": "http://www.securityfocus.com/bid/101810"}, {"name": "https://usn.ubuntu.com/usn/usn-3476-1/", "refsource": "CONFIRM", "url": "https://usn.ubuntu.com/usn/usn-3476-1/"}, {"name": "https://www.debian.org/security/2017/dsa-4029", "refsource": "CONFIRM", "url": "https://www.debian.org/security/2017/dsa-4029"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:48:21.905Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"}, {"name": "101810", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/101810"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://usn.ubuntu.com/usn/usn-3476-1/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-4029"}]}]}, "cveMetadata": {"assignerOrgId": "79363d38-fa19-49d1-9214-5f28da3f3ac5", "assignerShortName": "debian", "cveId": "CVE-2017-8806", "datePublished": "2017-11-13T09:00:00", "dateReserved": "2017-05-07T00:00:00", "dateUpdated": "2024-08-05T16:48:21.905Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:postgresql:postgresql:-:*:*:*:*:*:*:*", "matchCriteriaId": "ECC070DF-4131-43BA-B975-907023E0D39F", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": false}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": false}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.04:*:*:*:*:*:*:*", "matchCriteriaId": "588D4F37-0A56-47A4-B710-4D5F3D214FB9", "vulnerable": false}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "matchCriteriaId": "9070C9D8-A14A-467F-8253-33B966C16886", "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": false}, {"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files."}, {"lang": "es", "value": "Los scripts de Debian pg_ctlcluster, pg_createcluster y pg_upgradecluster, tal y como se distribuyen en el paquete de Debian postgresql-common anterior a 181+deb9u1 para PostgreSQL (y otros paquetes relacionados con Debian y Ubuntu), manipularon v\u00ednculos simb\u00f3licos de forma no segura, lo que podr\u00eda desembocar en una denegaci\u00f3n de servicio local sobrescribiendo archivos arbitrarios."}], "id": "CVE-2017-8806", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-13T09:29:00.403", "references": [{"source": "security@debian.org", "tags": ["Broken Link", "Issue Tracking", "Third Party Advisory"], "url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"}, {"source": "security@debian.org", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101810"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://usn.ubuntu.com/usn/usn-3476-1/"}, {"source": "security@debian.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4029"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Issue Tracking", "Third Party Advisory"], "url": "http://metadata.ftp-master.debian.org/changelogs/main/p/postgresql-common/postgresql-common_181+deb9u1_changelog"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/101810"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://usn.ubuntu.com/usn/usn-3476-1/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://www.debian.org/security/2017/dsa-4029"}], "sourceIdentifier": "security@debian.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-59"}], "source": "nvd@nist.gov", "type": "Primary"}]}