Alpaquita Linux
Security Advisory

CVE-2017-15099

Published: August 31, 2023Last modified: August 31, 2023

Description

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

Severity score breakdown

ParameterValue
Base score6.5
Attack VectorNETWORK
Attack complexityLOW
Privileges requiredLOW
User interactionNONE
ScopeUNCHANGED
ConfidentialityHIGH
Integrity impactNONE
Availability impactNONE
VectorCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Status

ProductReleasePackageStatus
Alpaquita Linux23 LTSpostgresql15Not affected (15.4-r0)
Streampostgresql15Not affected (15.4-r0)

References

ON THIS PAGE