Vulnerability & Exploit Database

Back to search

PostgreSQL class C vulnerability in core server: CVE-2017-15099

Severity CVSS Published Added Modified
4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) November 09, 2017 November 09, 2017 December 13, 2017

Description

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

postgres-upgrade-10_1

Related Vulnerabilities