CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
81.3%
Severity: Medium
Date : 2017-11-10
CVE-ID : CVE-2017-15098 CVE-2017-15099
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-485
The package postgresql before version 10.1-1 is vulnerable to multiple
issues including access restriction bypass and information disclosure.
Upgrade to 10.1-1.
The problems have been fixed upstream in version 10.1.
None.
A denial of service and potential memory disclosure vulnerability has
been discovered in PostgreSQL in the json_populate_recordset() and
jsonb_populate_recordset() functions.
An access restriction bypass vulnerability has been discovered in
PostgreSQL, the “INSERT … ON CONFLICT DO UPDATE” would not check to
see if the executing user had permission to perform a “SELECT” on the
index performing the conflicting check. Additionally, in a table with
row-level security enabled, the “INSERT … ON CONFLICT DO UPDATE”
would not check the SELECT policies for that table before performing
the update.
The fix ensures that “INSERT … ON CONFLICT DO UPDATE” checks against
table permissions and RLS policies before executing.
A remote attacker is able to bypass access restrictions via certain
queries or possibly leak sensitive information from the running
process.
https://www.postgresql.org/about/news/1801/
https://security.archlinux.org/CVE-2017-15098
https://security.archlinux.org/CVE-2017-15099
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | postgresql | < 10.1-1 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H
EPSS
Percentile
81.3%