CVE-2017-15099
Publication date 9 November 2017
Last updated 24 July 2024
Ubuntu priority
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| postgresql-10 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| postgresql-9.1 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| postgresql-9.3 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Not affected
|
|
| postgresql-9.5 | ||
| 16.04 LTS xenial |
Fixed 9.5.10-0ubuntu0.16.04
|
|
| 14.04 LTS trusty | Not in release | |
| postgresql-9.6 | ||
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
6.5 · Medium
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | None |
| Availability impact | None |
| Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
References
Related Ubuntu Security Notices (USN)
- USN-3479-1
- PostgreSQL vulnerabilities
- 14 November 2017