CVE-2021-3393

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

Published: Apr 1, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-3393
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:P/I:N/A:N

CWEs:

CWE-209

OWASP TOP 10:

A6 - Security Misconfiguration

Affected Software
References

Software	From	Fixed in
postgresql / postgresql	13.0	13.2
postgresql / postgresql	12.0	12.6
postgresql / postgresql	-	11.11
redhat / enterprise_linux	8.0	8.0.x

https://bugzilla.redhat.com/show_bug.cgi?id=1924005
https://security.gentoo.org/glsa/202105-32
https://security.netapp.com/advisory/ntap-20210507-0006/

Vulnerability Database

289,599

CVE-2021-3393