CVE-2021-32029 — Sensitive Information Exposure in Postgresql

CWE-200 — Sensitive Information Exposure CWE-125 — Out-of-bounds Read7 documents7 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 62.15%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Redhat Jboss Enterprise Application Platform

Timeline

PublishedOct 8

Latest updateMay 24

Description

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶NVDpostgresql/postgresql11.0 — 11.12+2

▶CVEListV5postgresql/postgresqlpostgresql 13.3, postgresql 12.7, postgresql 11.12

▶NVDredhat/jboss_enterprise_application_platform7.0.0

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-f47v-jjrp-x56x: A flaw was found in postgresql↗2022-05-24

▶

CVEList

CVE-2021-32029: A flaw was found in postgresql↗2021-10-08

▶

OSV

CVE-2021-32029: A flaw was found in postgresql↗2021-10-08

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2021-06-01

▶

Red Hat

postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING↗2021-05-13

▶

Debian

CVE-2021-32029: postgresql-13 - A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpo...↗2021

▶