New Search

Vulnerability in PostgreSQL 10.x before 10.1 9.6.x before 9.6.6 and 9.5.x before 9.5.10 (CVE-2017-15099)

oval:org.cisecurity:def:8187

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1 9.6.x before 9.6.6 and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows 8.1
  • Microsoft Windows XP
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8
  • Microsoft Windows Server 2008
  • Microsoft Windows Vista
  • Microsoft Windows 7
Class:
vulnerability
Reference(s):
  • CVE-2017-15099
Product(s):
  • PostgreSQL