CVE-2017-15099

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 10.x prior to 10.1 PostgreSQL versions 9.6.x prior to 9.6.6 PostgreSQL versions 9.5.x prior to 9.5.10

Description The issue is related to the implementation of the INSERT ... ON CONFLICT DO UPDATE command in PostgreSQL, which lacks protection for internal data. This can allow a remote attacker to gain unauthorized access to protected information. The commands can disclose table contents to an invoker who lacks the privilege to read them, affecting tables where the attacker has INSERT and UPDATE privileges but not full read access. The exploits bypass row-level security policies and the lack of SELECT privilege.

Recommendations For PostgreSQL versions 10.x prior to 10.1, update to version 10.1 or later. For PostgreSQL versions 9.6.x prior to 9.6.6, update to version 9.6.6 or later. For PostgreSQL versions 9.5.x prior to 9.5.10, update to version 9.5.10 or later.