Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability - CVE-2017-15099 - Vulnerability Database
PostgreSQL

PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability - CVE-2017-15099

Medium
Reference: CVE-2017-15099
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2017-15099
Title: PostgreSQL Exposure of Sensitive Information to an Unauthorized Actor Vulnerability
Overview:

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1 9.6.x before 9.6.6 and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.