CVE-2017-14798

local privilege escalation in SUSE postgresql init script

CVSS 7.3 HIGHEPSS 1.0%CWE-61

In short

A timing flaw in the PostgreSQL startup script allows someone with access to the PostgreSQL account to gain root-level permissions. An attacker could exploit this race condition during system startup to escalate their privileges.

Technical detail

A race condition exists in the SUSE PostgreSQL init script (CWE-61) that can be exploited by an attacker with postgresql account access to achieve local privilege escalation to root. The vulnerability occurs during the initialization phase when file permissions or ownership are set, allowing a malicious user to manipulate the process flow and gain elevated privileges before proper access controls are enforced.

Summary generated and translated by AI from the official description.

A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root.

CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Affected products

suse · postgresql-init

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://lists.suse.com/pipermail/sle-security-updates/2017-November/003420.html https://bugzilla.suse.com/show_bug.cgi?id=1062722 https://www.exploit-db.com/exploits/45184/https://www.suse.com/de-de/security/cve/CVE-2017-14798/