Description |
An access restriction bypass vulnerability has been discovered in PostgreSQL, the "INSERT ... ON CONFLICT DO UPDATE" would not check to see if the executing user had permission to perform a "SELECT" on the index performing the conflicting check. Additionally, in a table with row-level security enabled, the "INSERT ... ON CONFLICT DO UPDATE" would not check the SELECT policies for that table before performing the update.
The fix ensures that "INSERT ... ON CONFLICT DO UPDATE" checks against table permissions and RLS policies before executing. |