CVE-2021-32028 — Sensitive Information Exposure in Postgresql

CWE-200 — Sensitive Information Exposure9 documents7 sources

Severity

6.5MEDIUMNVD

OSV8.8

EPSS

0.5%

top 35.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Postgresql-13

Timeline

PublishedOct 11

Latest updateOct 25

Description

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/postgresql-13< postgresql-13 13.3-1 (bullseye)

▶NVDpostgresql/postgresql9.6.0 — 9.6.22+4

▶CVEListV5postgresql/postgresqlpostgresql 13.3, postgresql 12.7, postgresql 11.12, postgresql 10.17, postgresql 9.6.22

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-fr87-j862-8rwm: A flaw was found in postgresql↗2022-05-24

▶

OSV

CVE-2021-32028: A flaw was found in postgresql↗2021-10-11

▶

OSV

postgresql-10, postgresql-12, postgresql-13 vulnerabilities↗2021-06-01

▶

📋Vendor Advisories

CISA ICS

Hitachi Energy MicroSCADA X DMS600↗2022-10-25

▶

CISA ICS

Hitachi Energy MicroSCADA Pro/X SYS600↗2022-04-21

▶

Ubuntu

PostgreSQL vulnerabilities↗2021-06-01

▶

Red Hat

postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE↗2021-05-13

▶

Debian

CVE-2021-32028: postgresql-13 - A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE co...↗2021

▶