CVE-2021-20229Incorrect Authorization in Postgresql

CWE-863Incorrect Authorization6 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 75.30%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
PostgresqlDebian Postgresql-13Fedoraproject Fedora+9 more
Timeline
PublishedFeb 23
Latest updateFeb 15

Description

A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages11 packages

debiandebian/postgresql-13< postgresql-13 13.2-1 (bullseye)
NVDpostgresql/postgresql13.013.2
CVEListV5postgresql/postgresqlpostgresql 13.2, postgresql 12.6, postgresql 11.11, postgresql 10.16, postgresql 9.6.21, postgresql 9.5.25

Also affects: Fedora 33, Enterprise Linux 7.0, 8.0

🔴Vulnerability Details

2
GHSA
Incorrect Authorization in PostgreSQL2022-02-15
OSV
CVE-2021-20229: A flaw was found in PostgreSQL in versions before 132021-02-23

📋Vendor Advisories

3
Red Hat
postgresql: single-column SELECT privilege enables reading all columns2021-02-11
Microsoft
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat f2021-02-09
Debian
CVE-2021-20229: postgresql-13 - A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user ...2021