Arch Linux update for postgresql
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 3 |
| CVE-ID | CVE-2014-8161 CVE-2021-20229 CVE-2021-3393 |
| CWE-ID | CWE-209 CWE-264 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Arch Linux Operating systems & Components / Operating system |
| Vendor | Arch Linux |
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Information Exposure Through an Error Message
EUVDB-ID: #VU30418
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-8161
CWE-ID:
CWE-209 - Information Exposure Through an Error Message
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
MitigationUpdate the affected package postgresql to version 13.2-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-202102-31
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU50656
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-20229
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to application does not properly impose security restrictions. A user having a SELECT privilege on an individual column can craft a special
query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have
incomplete column-usage bitmaps. In installations that depend on column-level
permissions for security, it is recommended to execute CREATE OR REPLACE on
all user-defined views to force them to be re-parsed.
Update the affected package postgresql to version 13.2-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-202102-31
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU50655
Risk: Low
CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-3393
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output in the error message. A remote user having an UPDATE privilege on a partitioned table but lacking the
SELECT privilege on some column may be able to acquire denied-column values
from an error message. This vulnerability is similar to #VU30418.
Update the affected package postgresql to version 13.2-1.
Vulnerable software versionsArch Linux: All versions
CPE2.3 External linkshttp://security.archlinux.org/advisory/ASA-202102-31
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
