[Forgot Password]
Login  Register Subscribe

24128

 
 

131615

 
 

112965

 
 

909

 
 

87888

 
 

136

Paid content will be excluded from the download.


Download | Alert*
CVE
view XML view JSON

CVE-2017-15099Date: (C)2017-11-29   (M)2018-07-18


INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

CVSS Score and Metrics +CVSS Score and Metrics -

CVSS V3 Severity:CVSS V2 Severity:
CVSS Score : 6.5CVSS Score : 4.0
Exploit Score: 2.8Exploit Score: 8.0
Impact Score: 3.6Impact Score: 2.9
 
CVSS V3 Metrics:CVSS V2 Metrics:
Attack Vector: NETWORKAccess Vector: NETWORK
Attack Complexity: LOWAccess Complexity: LOW
Privileges Required: LOWAuthentication: SINGLE_INSTANCE
User Interaction: NONEConfidentiality: PARTIAL
Scope: UNCHANGEDIntegrity: NONE
Confidentiality: HIGHAvailability: NONE
Integrity: NONE 
Availability: NONE 
  
Reference:
BID-101781
SECTRACK-1039752
DSA-4028
https://www.postgresql.org/about/news/1801/
https://www.postgresql.org/support/security/

CPE    3
cpe:/a:postgresql:postgresql:9.6
cpe:/a:postgresql:postgresql:9.5
cpe:/o:debian:debian_linux:9.0
CWE    1
CWE-200
OVAL    7
oval:org.secpod.oval:def:1800286
oval:org.secpod.oval:def:44452
oval:org.secpod.oval:def:603166
oval:org.secpod.oval:def:1800769
...

© SecPod Technologies