CVE-2021-3393
First published: Tue Feb 02 2021(Updated: )
PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the error messages. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information from a column they have UPDATE permission but not SELECT permission to, and use this information to launch further attacks against the affected system.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <13.2 | 13.2 |
| redhat/postgresql | <12.6 | 12.6 |
| redhat/postgresql | <11.11 | 11.11 |
| IBM Security Verify Access | <=10.0.0 | |
| PostgreSQL PostgreSQL | <11.11 | |
| PostgreSQL PostgreSQL | >=12.0<12.6 | |
| PostgreSQL PostgreSQL | >=13.0<13.2 | |
| Redhat Software Collections | ||
| Red Hat Enterprise Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2014-8161
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1927868
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1927867
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1927865
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1927871
- https://www.postgresql.org/support/security/CVE-2021-3393/
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=6214e2b2280462cbc3aa1986e350e167651b3905
- https://access.redhat.com/errata/RHSA-2021:2372
- https://access.redhat.com/security/cve/cve-2021-3393
- https://access.redhat.com/errata/RHSA-2021:2389
- https://access.redhat.com/errata/RHSA-2021:2394
- https://bugzilla.redhat.com/show_bug.cgi?id=1924005
- https://security.gentoo.org/glsa/202105-32
- https://security.netapp.com/advisory/ntap-20210507-0006/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/199296
- https://www.ibm.com/support/pages/node/6538418 (Advisory)
Frequently Asked Questions
What is CVE-2021-3393?
CVE-2021-3393 is an information leak vulnerability in PostgreSQL versions before 13.2, before 12.6, and before 11.11.
How can a remote authenticated attacker exploit CVE-2021-3393?
A remote authenticated attacker can exploit CVE-2021-3393 by crafting queries that may disclose values from a specific column in error messages.
What is the severity of CVE-2021-3393?
CVE-2021-3393 has a severity rating of 4.3, which is considered medium.
Which versions of PostgreSQL are affected by CVE-2021-3393?
Versions before 13.2, before 12.6, and before 11.11 of PostgreSQL are affected by CVE-2021-3393.
Where can I find more information about CVE-2021-3393?
You can find more information about CVE-2021-3393 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2014-8161), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi?id=1927868), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=1927867).
- agent/type
- agent/first-publish-date
- agent/severity
- agent/weakness
- agent/author
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2021-3393
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/ibm-support
- source/IBM
- agent/references
- agent/trending
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- agent/source
- package-manager/redhat
- vendor/ibm
- canonical/ibm security verify access
- version/ibm security verify access/10.0.0
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/12.0
- version/postgresql postgresql/13.0
- vendor/redhat
- canonical/redhat software collections
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0