CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
79.9%
INSERT … ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
Vendor | Product | Version | CPE |
---|---|---|---|
postgresql | postgresql | 9.5 | cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.1 | cpe:2.3:a:postgresql:postgresql:9.5.1:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.2 | cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.3 | cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.4 | cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.5 | cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.6 | cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.7 | cpe:2.3:a:postgresql:postgresql:9.5.7:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.8 | cpe:2.3:a:postgresql:postgresql:9.5.8:*:*:*:*:*:*:* |
postgresql | postgresql | 9.5.9 | cpe:2.3:a:postgresql:postgresql:9.5.9:*:*:*:*:*:*:* |
[
{
"product": "postgresql",
"vendor": "Red Hat, Inc.",
"versions": [
{
"status": "affected",
"version": "10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10"
}
]
}
]
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
79.9%