INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2017-11-22T18:00:00Z

Updated: 2024-09-16T16:43:27.924Z

Reserved: 2017-10-08T00:00:00

Link: CVE-2017-15099

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-11-22T18:29:00.583

Modified: 2024-11-21T03:14:04.250

Link: CVE-2017-15099

cve-icon Redhat

Severity : Low

Publid Date: 2017-11-09T00:00:00Z

Links: CVE-2017-15099 - Bugzilla