#VU50655 Information disclosure in PostgreSQL


Vulnerability identifier: #VU50655

Vulnerability risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-3393

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output in the error message. A remote user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This vulnerability is similar to #VU30418.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 13.0 - 13.1, 12.0 - 12.5, 11.0 - 11.10

External links
http://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Security Verify Access
Red Hat Software Collections update for rh-postgresql12-postgresql
Red Hat Enterprise Linux TUS 8.2 update for the postgresql:12 module
Red Hat Enterprise Linux 8.4 update for the postgresql:12 module
SUSE update for postgresql12
Gentoo update for PostgreSQL
SUSE update for postgresql12
Information disclosure in postgresql (Alpine package)
Arch Linux update for postgresql
Ubuntu update for postgresql-12