Detections
Analytics

Alpine: postgresql: security update to 9.5.10-r0

high Tenable Self-Hosted Container Security Plugin ID 406488

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

 - Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1,
 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server
 or disclose a few bytes of server memory. (CVE-2017-15098)

 - INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x
 before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only
 tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits
 bypass row level security policies and lack of SELECT privilege. (CVE-2017-15099)

See Also

https://security.alpinelinux.org/vuln/CVE-2017-15098

https://security.alpinelinux.org/vuln/CVE-2017-15099

Plugin Details

Severity: High

ID: 406488

Version: Revision 1.24

Type: Local

Published: 10/31/2023

Updated: 3/13/2025

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.1

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:P

CVSS Score Source: CVE-2017-15098

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 11/9/2017

Reference Information

CVE: CVE-2017-15098, CVE-2017-15099

BID: 101781

IAVB: 2017-B-0156-S