CVE-2017-15099
Description
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Risk Information
Base Score
6.5
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
Exploitation Probability
30.234
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Update PostgressSQL to 9.5.10 | Windows |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 10.1 | Windows |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 9.6.6 | Windows |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 9.5.10 | Windows |
| Object-relational SQL database (USN-3479-1) postgresql-9.6_9.6.6-0ubuntu0.17.04_i386.deb | Linux |
| Object-relational SQL database (USN-3479-1) postgresql-9.6_9.6.6-0ubuntu0.17.04_amd64.deb | Linux |
| Update PostgressSQL to 9.5.10 (For Linux) | Linux |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 10.1 (For Linux) | Linux |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 9.6.6 (For Linux) | Linux |
| Vulnerabilities CVE-2017-15099,CVE-2017-15098,CVE-2017-12172 are fixed in PostgreSQL 9.5.10 (For Linux) | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234