What is CVE-2021-3677?

CVE-2021-3677 is a vulnerability found in postgresql that allows an authenticated database user to read arbitrary bytes of server memory.

How severe is CVE-2021-3677?

CVE-2021-3677 has a severity score of 6.5, which is considered medium.

Who is affected by CVE-2021-3677?

Postgresql versions 11.0 to 11.13, 12.0 to 12.8, and 13.0 to 13.4 are affected by CVE-2021-3677.

How can I fix CVE-2021-3677?

To fix CVE-2021-3677, it is recommended to update to a patched version of postgresql (11.13, 12.8, or 13.4).

Where can I find more information about CVE-2021-3677?

You can find more information about CVE-2021-3677 on the following references: [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2001857), [Gentoo GLSA](https://security.gentoo.org/glsa/202211-04), and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220407-0008/).

Vulnerability/
CVE-2021-3677

medium

6.5

CWE

200

7/9/2021

2/3/2022

31/1/2023

CVE-2021-3677: Infoleak

First published: Tue Sep 07 2021(Updated: )

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
redhat/postgresql	<13.4	13.4
redhat/postgresql	<12.8	12.8
redhat/postgresql	<11.13	11.13
PostgreSQL PostgreSQL	>=11.0<11.13
PostgreSQL PostgreSQL	>=12.0<12.8
PostgreSQL PostgreSQL	>=13.0<13.4
Redhat Virtualization	=4.0
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux For Ibm Z Systems	=8.0
Redhat Enterprise Linux For Power Little Endian	=8.0
Redhat Software Collections	=1.0
Redhat Enterprise Linux	=7.0
Fedoraproject Fedora	=34

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-3677?
CVE-2021-3677 is a vulnerability found in postgresql that allows an authenticated database user to read arbitrary bytes of server memory.
How severe is CVE-2021-3677?
CVE-2021-3677 has a severity score of 6.5, which is considered medium.
Who is affected by CVE-2021-3677?
Postgresql versions 11.0 to 11.13, 12.0 to 12.8, and 13.0 to 13.4 are affected by CVE-2021-3677.
How can I fix CVE-2021-3677?
To fix CVE-2021-3677, it is recommended to update to a patched version of postgresql (11.13, 12.8, or 13.4).
Where can I find more information about CVE-2021-3677?
You can find more information about CVE-2021-3677 on the following references: [Red Hat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=2001857), [Gentoo GLSA](https://security.gentoo.org/glsa/202211-04), and [NetApp Security Advisory](https://security.netapp.com/advisory/ntap-20220407-0008/).

agent/type
agent/author
agent/weakness
agent/last-modified-date
agent/references
agent/severity
agent/softwarecombine
agent/description
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2021-3677
agent/software-canonical-lookup
agent/tags
agent/event
collector/nvd-index
agent/software-canonical-lookup-request
package-manager/redhat
vendor/postgresql
canonical/postgresql postgresql
version/postgresql postgresql/11.0
version/postgresql postgresql/12.0
version/postgresql postgresql/13.0
vendor/redhat
canonical/redhat virtualization
version/redhat virtualization/4.0
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0
canonical/redhat enterprise linux for ibm z systems
version/redhat enterprise linux for ibm z systems/8.0
canonical/redhat enterprise linux for power little endian
version/redhat enterprise linux for power little endian/8.0
canonical/redhat software collections
version/redhat software collections/1.0
version/redhat enterprise linux/7.0
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/34