CVE-2021-3393 — Information Exposure via Error Message in Postgresql

CWE-209 — Information Exposure via Error Message6 documents6 sources

Severity

4.3MEDIUMNVD

EPSS

0.1%

top 70.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Debian Postgresql-13 Redhat Enterprise Linux

Timeline

PublishedApr 1

Latest updateFeb 15

Description

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶debiandebian/postgresql-13< postgresql-13 13.2-1 (bullseye)

▶NVDpostgresql/postgresql12.0 — 12.6+2

▶CVEListV5postgresql/postgresqlpostgresql 13.2, postgresql 12.6, postgresql 11.11

Also affects: Enterprise Linux 8.0

🔴Vulnerability Details

GHSA

Generation of Error Message Containing Sensitive Information in postgresql↗2022-02-15

▶

OSV

CVE-2021-3393: An information leak was discovered in postgresql in versions before 13↗2021-04-01

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerability↗2021-02-15

▶

Red Hat

postgresql: Partition constraint violation errors leak values of denied columns↗2021-02-11

▶

Debian

CVE-2021-3393: postgresql-13 - An information leak was discovered in postgresql in versions before 13.2, before...↗2021

▶