PostgreSQL maintains column statistics for tables. Certain statistics, such
as histograms and lists of most common values, contain values taken from the
column. PostgreSQL does not evaluate row security policies before consulting
those statistics during query planning; an attacker can exploit this to read
the most common values of certain columns. Affected columns are those for
which the attacker has SELECT privilege and for which, in an ordinary query,
row-level security prunes the set of rows visible to the attacker.
Name: Noah Misch, the PostgreSQL Project
Upstream: Dean Rasheed
Created mingw-postgresql tracking bugs for this issue:
Affects: fedora-all [bug 1709193]
Created postgresql tracking bugs for this issue:
Affects: fedora-all [bug 1709192]
This vulnerability requires row level security to be in use, and an attacker to be able to execute crafted queries against the target PostgreSQL database. Neither of these conditions is true in Red Hat Ansible Tower, Red Hat CloudForms or Red Hat Satellite.