MEDIUM
INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.
http://www.securityfocus.com/bid/101781
http://www.securitytracker.com/id/1039752
https://access.redhat.com/errata/RHSA-2018:2511
https://access.redhat.com/errata/RHSA-2018:2566
https://www.debian.org/security/2017/dsa-4028
Source: MITRE
Published: 2017-11-22
Updated: 2018-08-28
Type: CWE-200
Base Score: 4
Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Impact Score: 2.9
Exploitability Score: 8
Severity: MEDIUM
Base Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Impact Score: 3.6
Exploitability Score: 2.8
Severity: MEDIUM