Endpoint Vulnerability

PostgreSQL: INSERT ... ON CONFLICT DO UPDATE fails to enforce SELECT privileges

Description

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.

Affected Products

PostgreSQL

References

CVE-2017-15099,