CVE-2021-32027: Buffer Overflow
First published: Tue May 04 2021(Updated: )
PostgreSQL could allow a remote authenticated attacker to execute arbitrary code on the system, caused by an integer overflow while modifying certain SQL array values. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <13.3 | 13.3 |
| redhat/postgresql | <12.7 | 12.7 |
| redhat/postgresql | <11.12 | 11.12 |
| redhat/postgresql | <10.17 | 10.17 |
| redhat/postgresql | <9.6.22 | 9.6.22 |
| PostgreSQL PostgreSQL | >=9.6.0<9.6.22 | |
| PostgreSQL PostgreSQL | >=10.0<10.17 | |
| PostgreSQL PostgreSQL | >=11.0<11.12 | |
| PostgreSQL PostgreSQL | >=12.0<12.7 | |
| PostgreSQL PostgreSQL | >=13.0<13.3 | |
| Redhat Jboss Enterprise Application Platform | =7.0.0 | |
| Redhat Software Collections | ||
| Redhat Enterprise Linux | =7.0 | |
| Redhat Enterprise Linux | =8.0 | |
| IBM DRM | <=2.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=f02b9085ad2f6fefd9c5cdf85579cb9f0ff0f0ea
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=467395bfdf33f1ccf67ca388ffdcc927271544cb
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=3b0f6a7ae5d812d9a70fc854d2e54d3657467e25
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=06bfbe85409177bff7bc5376fb5fdd7a324227c3
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=2fb809d3e1927c0885ad80e18dd3a3aacd612b8b
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=0c1caa48d3ccb7a5d1343b53aa32fcae45dc2d00
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962799
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962798
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962797
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962796
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962795
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962800
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962794
- https://www.postgresql.org/support/security/CVE-2021-32027/
- https://access.redhat.com/errata/RHSA-2021:2360
- https://access.redhat.com/errata/RHSA-2021:2361
- https://access.redhat.com/security/cve/cve-2021-32027
- https://access.redhat.com/errata/RHSA-2021:2372
- https://access.redhat.com/errata/RHSA-2021:2375
- https://access.redhat.com/errata/RHSA-2021:2392
- https://access.redhat.com/errata/RHSA-2021:2393
- https://access.redhat.com/errata/RHSA-2021:2389
- https://access.redhat.com/errata/RHSA-2021:2391
- https://access.redhat.com/errata/RHSA-2021:2395
- https://access.redhat.com/errata/RHSA-2021:2390
- https://access.redhat.com/errata/RHSA-2021:2394
- https://access.redhat.com/errata/RHSA-2021:2396
- https://access.redhat.com/errata/RHSA-2021:2397
- https://bugzilla.redhat.com/show_bug.cgi?id=1956876
- https://security.gentoo.org/glsa/202211-04
- https://security.netapp.com/advisory/ntap-20210713-0004/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/202823
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for this flaw in PostgreSQL?
The vulnerability ID for this flaw in PostgreSQL is CVE-2021-32027.
What is the severity level of CVE-2021-32027?
The severity level of CVE-2021-32027 is high, with a CVSS score of 8.8.
Which versions of PostgreSQL are affected by CVE-2021-32027?
Versions before 13.3, 12.7, 11.12, 10.17, and 9.6.22 of PostgreSQL are affected by CVE-2021-32027.
How can an authenticated database user exploit CVE-2021-32027?
An authenticated database user can exploit CVE-2021-32027 by modifying certain SQL array values to write arbitrary bytes to a wide area of server memory.
Where can I find more information about CVE-2021-32027?
You can find more information about CVE-2021-32027 on the IBM X-Force Exchange website, the IBM Support page, and the Red Hat Bugzilla page.
- agent/type
- agent/first-publish-date
- agent/references
- agent/description
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32027
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.6.0
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- vendor/redhat
- canonical/redhat jboss enterprise application platform
- version/redhat jboss enterprise application platform/7.0.0
- canonical/redhat software collections
- canonical/redhat enterprise linux
- version/redhat enterprise linux/7.0
- version/redhat enterprise linux/8.0
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6