CVE-2021-32028: Infoleak
First published: Tue May 04 2021(Updated: )
PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a memory disclosure vulnerability when using an INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted table. By creating prerequisite objects, an attacker could exploit this vulnerability to read arbitrary bytes of server memory.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <13.3 | 13.3 |
| redhat/postgresql | <12.7 | 12.7 |
| redhat/postgresql | <11.12 | 11.12 |
| redhat/postgresql | <10.17 | 10.17 |
| redhat/postgresql | <9.6.22 | 9.6.22 |
| PostgreSQL PostgreSQL | >=9.6.0<9.6.22 | |
| PostgreSQL PostgreSQL | >=10.0<10.17 | |
| PostgreSQL PostgreSQL | >=11.0<11.12 | |
| PostgreSQL PostgreSQL | >=12.0<12.7 | |
| PostgreSQL PostgreSQL | >=13.0<13.3 | |
| IBM DRM | <=2.0.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=049e1e2edb06854d7cd9460c22516efaa165fbf8
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=a5fa3e0671474411ad81600a8f2b4800a4464afc
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=b7d1f32ff6588be99844c140ec1aacb6e44f4b84
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=52a4413627319980843bb8f375f28c7f01c45e18
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=0fcb8e2e0154dedea5c3c7da6dd2cffb731aac06
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962791
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962790
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962789
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962788
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962787
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962793
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1962792
- https://www.postgresql.org/support/security/CVE-2021-32028/
- https://access.redhat.com/errata/RHSA-2021:2360
- https://access.redhat.com/errata/RHSA-2021:2361
- https://access.redhat.com/security/cve/cve-2021-32028
- https://access.redhat.com/errata/RHSA-2021:2372
- https://access.redhat.com/errata/RHSA-2021:2375
- https://access.redhat.com/errata/RHSA-2021:2392
- https://access.redhat.com/errata/RHSA-2021:2393
- https://access.redhat.com/errata/RHSA-2021:2389
- https://access.redhat.com/errata/RHSA-2021:2391
- https://access.redhat.com/errata/RHSA-2021:2395
- https://access.redhat.com/errata/RHSA-2021:2390
- https://access.redhat.com/errata/RHSA-2021:2394
- https://access.redhat.com/errata/RHSA-2021:2396
- https://bugzilla.redhat.com/show_bug.cgi?id=1956877
- https://security.gentoo.org/glsa/202211-04
- https://security.netapp.com/advisory/ntap-20211112-0003/
- https://www.postgresql.org/support/security/CVE-2021-32028
- https://exchange.xforce.ibmcloud.com/vulnerabilities/203616
- https://www.ibm.com/support/pages/node/6497499 (Advisory)
Frequently Asked Questions
What is CVE-2021-32028?
CVE-2021-32028 is a vulnerability in PostgreSQL that allows a remote authenticated attacker to obtain sensitive information.
What is the severity of CVE-2021-32028?
The severity of CVE-2021-32028 is medium with a CVSS score of 6.5.
Which software is affected by CVE-2021-32028?
CVE-2021-32028 affects PostgreSQL versions 9.6.0 to 9.6.22, 10.0 to 10.17, 11.0 to 11.12, 12.0 to 12.7, and 13.0 to 13.3.
How can an attacker exploit CVE-2021-32028?
An attacker can exploit CVE-2021-32028 by using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table to obtain sensitive information.
Are there any references for CVE-2021-32028?
Yes, you can find more information about CVE-2021-32028 at the following references: [1] [2] [3]
- agent/type
- agent/first-publish-date
- agent/author
- agent/weakness
- agent/severity
- agent/references
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-32028
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/ibm-support
- source/IBM
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.6.0
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- vendor/ibm
- canonical/ibm drm
- version/ibm drm/2.0.6