[Forgot Password]
Login  Register Subscribe

24436

 
 

131815

 
 

116471

 
 

909

 
 

91176

 
 

140

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2017-15099Date: (C)2017-11-29   (M)2018-11-05


INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 6.5CVSS Score : 4.0
Exploit Score: 2.8Exploit Score: 8.0
Impact Score: 3.6Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: LOWAuthentication: SINGLE_INSTANCE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: NONE
Confidentiality: HIGHAvailability: NONE
Integrity: NONE 
Availability: NONE 
  
Reference:
BID-101781
SECTRACK-1039752
DSA-4028
RHSA-2018:2511
RHSA-2018:2566
https://www.postgresql.org/about/news/1801/
https://www.postgresql.org/support/security/

CPE    4
cpe:/a:postgresql:postgresql:9.6
cpe:/o:debian:debian_linux:9.0
cpe:/a:postgresql:postgresql:10
cpe:/a:postgresql:postgresql:9.5
...
CWE    1
CWE-200
OVAL    7
oval:org.secpod.oval:def:603166
oval:org.secpod.oval:def:1600812
oval:org.secpod.oval:def:1800286
oval:org.secpod.oval:def:44452
...

© SecPod Technologies