ALT-PU-2017-3627-1

Package update postgresql10 in branch sisyphus

Version10.1-alt1

Published2017-11-09

Max severityMEDIUM

Severity:

Closed issues (2)

MEDIUM6.5

Уязвимость реализации команды «INSERT ... ON CONFLICT DO UPDATE» системы управления базами данных PostgreSQL, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2019-11-19

CVSS 3.xMEDIUM 6.5

CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS 2.0MEDIUM 6.8

CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:N/A:N

References

CVE-2017-15099

MEDIUM6.5

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

Published: 2017-11-22Modified: 2025-04-20

CVSS 2.0MEDIUM 4.0

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS 3.xMEDIUM 6.5

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References