INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2017-11-22T18:00:00Z
Updated: 2024-09-16T16:43:27.924Z
Reserved: 2017-10-08T00:00:00
Link: CVE-2017-15099
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-11-22T18:29:00.583
Modified: 2024-11-21T03:14:04.250
Link: CVE-2017-15099
Redhat