Medium severity6.5NVD Advisory· Published Nov 22, 2017· Updated Jun 17, 2026
CVE-2017-15099
CVE-2017-15099
Description
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
37cpe:2.3:a:postgresql:postgresql:10.0:*:*:*:*:*:*:*+ 17 more
- cpe:2.3:a:postgresql:postgresql:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.5.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.6.5:*:*:*:*:*:*:*
- (no CPE)range: <10.1, <9.6.6, <9.5.10
- osv-coords17 versionspkg:rpm/opensuse/postgresql10&distro=openSUSE%20Tumbleweedpkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20Raspberry%20Pi%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3
< 10.18-1.3+ 16 more
- (no CPE)range: < 10.18-1.3
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- (no CPE)range: < 9.6.6-3.10.1
- Red Hat, Inc./postgresqlv5Range: 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10
Patches
Vulnerability mechanics
References
7- www.securityfocus.com/bid/101781nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1039752nvdThird Party AdvisoryVDB Entry
- www.debian.org/security/2017/dsa-4028nvdIssue TrackingThird Party Advisory
- www.postgresql.org/about/news/1801/nvdIssue TrackingVendor Advisory
- www.postgresql.org/support/security/nvdIssue TrackingVendor Advisory
- access.redhat.com/errata/RHSA-2018:2511nvd
- access.redhat.com/errata/RHSA-2018:2566nvd
News mentions
0No linked articles in our index yet.