Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2021-20229 (GCVE-0-2021-20229)
Vulnerability from cvelistv5 – Published: 2021-02-23 17:40 – Updated: 2024-08-03 17:30
VLAI
EPSS
Summary
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Severity
No CVSS data available.
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1925296 | x_refsource_MISC |
| https://security.netapp.com/advisory/ntap-2021032… | x_refsource_CONFIRM |
| https://security.gentoo.org/glsa/202105-32 | vendor-advisoryx_refsource_GENTOO |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| n/a | PostgreSQL |
Affected:
postgresql 13.2, postgresql 12.6, postgresql 11.11, postgresql 10.16, postgresql 9.6.21, postgresql 9.5.25
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:30:07.427Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"name": "GLSA-202105-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202105-32"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "PostgreSQL",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "postgresql 13.2, postgresql 12.6, postgresql 11.11, postgresql 10.16, postgresql 9.6.21, postgresql 9.5.25"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-06-08T11:47:17.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"name": "GLSA-202105-32",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202105-32"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-20229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "postgresql 13.2, postgresql 12.6, postgresql 11.11, postgresql 10.16, postgresql 9.6.21, postgresql 9.5.25"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210326-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"name": "GLSA-202105-32",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202105-32"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2021-20229",
"datePublished": "2021-02-23T17:40:53.000Z",
"dateReserved": "2020-12-17T00:00:00.000Z",
"dateUpdated": "2024-08-03T17:30:07.427Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2021-20229",
"date": "2026-05-29",
"epss": "0.00086",
"percentile": "0.24799"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2021-20229\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2021-02-23T18:15:13.473\",\"lastModified\":\"2024-11-21T05:46:10.477\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.\"},{\"lang\":\"es\",\"value\":\"Se ha encontrado un fallo en PostgreSQL en las versiones anteriores a la 13.2. Este fallo permite a un usuario con privilegio SELECT en una columna elaborar una consulta especial que devuelva todas las columnas de la tabla. La mayor amenaza de esta vulnerabilidad es la confidencialidad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:N/A:N\",\"baseScore\":4.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"13.0\",\"versionEndExcluding\":\"13.2\",\"matchCriteriaId\":\"38EBA6FE-62E7-4865-ADCB-4F9E5F074F06\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"749804DA-4B27-492A-9ABA-6BB562A6B3AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F4CFF558-3C47-480D-A2F0-BABF26042943\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1925296\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202105-32\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210326-0005/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1925296\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202105-32\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20210326-0005/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Title
Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками механизма авторизации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
Description
Уязвимость системы управления базами данных PostgreSQL связана с недостатками механизма авторизации. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, получить несанкционированный доступ к защищаемой информации
Severity
Vendor
Red Hat Inc., Novell Inc., PostgreSQL Global Development Group
Software Name
Red Hat Enterprise Linux, Suse Linux Enterprise Server, SUSE Linux Enterprise Server for SAP Applications, SUSE Linux Enterprise Software Development Kit, Red Hat Software Collections, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Module for Open Buildservice Development Tools, SUSE Linux Enterprise Module for additional PackageHub packages, SUSE Linux Enterprise Module for Server Applications, PostgreSQL
Software Version
7 (Red Hat Enterprise Linux), 8 (Red Hat Enterprise Linux), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Software Development Kit), - (Red Hat Software Collections), 15 SP2 (SUSE Linux Enterprise Module for Basesystem), 15 SP2 (SUSE Linux Enterprise Module for Open Buildservice Development Tools), 15 SP2 (SUSE Linux Enterprise Module for additional PackageHub packages), 15 SP2 (SUSE Linux Enterprise Module for Server Applications), от 9.5.0 до 9.5.25 (PostgreSQL), от 9.6.0 до 9.6.21 (PostgreSQL), от 10.0 до 10.16 (PostgreSQL), от 11.0 до 11.11 (PostgreSQL), от 12.0 до 12.6 (PostgreSQL), от 13.0 до 13.2 (PostgreSQL)
Possible Mitigations
Использование рекомендаций:
Для PostgreSQL:
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
Для программных продуктов Novell Inc.:
https://www.suse.com/security/cve/CVE-2021-20229/
Для программных продуктов Red Hat Inc.:
https://access.redhat.com/security/cve/cve-2021-20229
https://bugzilla.redhat.com/show_bug.cgi?id=1925296
Reference
https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/
https://www.suse.com/security/cve/CVE-2021-20229/
https://access.redhat.com/security/cve/cve-2021-20229
https://bugzilla.redhat.com/show_bug.cgi?id=1925296
CWE
CWE-863
{
"CVSS 2.0": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"CVSS 3.0": "AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"CVSS 4.0": null,
"remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
"remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
"\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Red Hat Inc., Novell Inc., PostgreSQL Global Development Group",
"\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "7 (Red Hat Enterprise Linux), 8 (Red Hat Enterprise Linux), 12 SP5 (Suse Linux Enterprise Server), 12 SP5 (SUSE Linux Enterprise Server for SAP Applications), 12 SP5 (SUSE Linux Enterprise Software Development Kit), - (Red Hat Software Collections), 15 SP2 (SUSE Linux Enterprise Module for Basesystem), 15 SP2 (SUSE Linux Enterprise Module for Open Buildservice Development Tools), 15 SP2 (SUSE Linux Enterprise Module for additional PackageHub packages), 15 SP2 (SUSE Linux Enterprise Module for Server Applications), \u043e\u0442 9.5.0 \u0434\u043e 9.5.25 (PostgreSQL), \u043e\u0442 9.6.0 \u0434\u043e 9.6.21 (PostgreSQL), \u043e\u0442 10.0 \u0434\u043e 10.16 (PostgreSQL), \u043e\u0442 11.0 \u0434\u043e 11.11 (PostgreSQL), \u043e\u0442 12.0 \u0434\u043e 12.6 (PostgreSQL), \u043e\u0442 13.0 \u0434\u043e 13.2 (PostgreSQL)",
"\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f PostgreSQL:\nhttps://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://www.suse.com/security/cve/CVE-2021-20229/\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Red Hat Inc.:\nhttps://access.redhat.com/security/cve/cve-2021-20229\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1925296",
"\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "23.02.2021",
"\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "04.03.2021",
"\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "04.03.2021",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2021-01131",
"\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2021-20229",
"\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
"\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
"\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Red Hat Enterprise Linux, Suse Linux Enterprise Server, SUSE Linux Enterprise Server for SAP Applications, SUSE Linux Enterprise Software Development Kit, Red Hat Software Collections, SUSE Linux Enterprise Module for Basesystem, SUSE Linux Enterprise Module for Open Buildservice Development Tools, SUSE Linux Enterprise Module for additional PackageHub packages, SUSE Linux Enterprise Module for Server Applications, PostgreSQL",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Red Hat Inc. Red Hat Enterprise Linux 7 , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. Suse Linux Enterprise Server 12 SP5 , Novell Inc. SUSE Linux Enterprise Server for SAP Applications 12 SP5 ",
"\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 PostgreSQL, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u0430\u044f \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u044f (CWE-863)",
"\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 PostgreSQL \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043a\u0430\u043c\u0438 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u0430 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c \u043d\u0435\u0441\u0430\u043d\u043a\u0446\u0438\u043e\u043d\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0439 \u0434\u043e\u0441\u0442\u0443\u043f \u043a \u0437\u0430\u0449\u0438\u0449\u0430\u0435\u043c\u043e\u0439 \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u0438",
"\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
"\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
"\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
"\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
"\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041d\u0430\u0440\u0443\u0448\u0435\u043d\u0438\u0435 \u0430\u0432\u0442\u043e\u0440\u0438\u0437\u0430\u0446\u0438\u0438",
"\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/\nhttps://www.suse.com/security/cve/CVE-2021-20229/\nhttps://access.redhat.com/security/cve/cve-2021-20229\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1925296",
"\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
"\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0423\u0411\u0414, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
"\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-863",
"\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4)\n\u0421\u0440\u0435\u0434\u043d\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 4,3)"
}
bit-postgresql-2021-20229
Vulnerability from bitnami_vulndb
Published
2024-03-06 11:05
Modified
2025-04-03 14:40
Summary
Details
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
{
"affected": [
{
"package": {
"ecosystem": "Bitnami",
"name": "postgresql",
"purl": "pkg:bitnami/postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "13.0.0"
},
{
"fixed": "13.2.0"
}
],
"type": "SEMVER"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
],
"aliases": [
"CVE-2021-20229"
],
"database_specific": {
"cpes": [
"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"
],
"severity": "Medium"
},
"details": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.",
"id": "BIT-postgresql-2021-20229",
"modified": "2025-04-03T14:40:37.652Z",
"published": "2024-03-06T11:05:42.287Z",
"references": [
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-32"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
}
],
"schema_version": "1.5.0"
}
CERTFR-2021-AVI-117
Vulnerability from certfr_avis - Published: 2021-02-12 - Updated: 2021-02-12
De multiples vulnérabilités ont été découvertes dans PostgreSQL. Elles permettent à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| PostgreSQL | PostgreSQL | PostgreSQL versions 9.5 antérieures à 9.5.25 | ||
| PostgreSQL | PostgreSQL | PostgreSQL versions 12 antérieures à 12.6 | ||
| PostgreSQL | PostgreSQL | PostgreSQL versions 9.6 antérieures à 9.6.21 | ||
| PostgreSQL | PostgreSQL | PostgreSQL versions 11 antérieures à 11.11 | ||
| PostgreSQL | PostgreSQL | PostgreSQL versions 13 antérieures à 13.2 | ||
| PostgreSQL | PostgreSQL | PostgreSQL versions 10 antérieures à 10.16 |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "PostgreSQL versions 9.5 ant\u00e9rieures \u00e0 9.5.25",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
},
{
"description": "PostgreSQL versions 12 ant\u00e9rieures \u00e0 12.6",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
},
{
"description": "PostgreSQL versions 9.6 ant\u00e9rieures \u00e0 9.6.21",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
},
{
"description": "PostgreSQL versions 11 ant\u00e9rieures \u00e0 11.11",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
},
{
"description": "PostgreSQL versions 13 ant\u00e9rieures \u00e0 13.2",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
},
{
"description": "PostgreSQL versions 10 ant\u00e9rieures \u00e0 10.16",
"product": {
"name": "PostgreSQL",
"vendor": {
"name": "PostgreSQL",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2021-3393",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-3393"
},
{
"name": "CVE-2021-20229",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20229"
}
],
"initial_release_date": "2021-02-12T00:00:00",
"last_revision_date": "2021-02-12T00:00:00",
"links": [],
"reference": "CERTFR-2021-AVI-117",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2021-02-12T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans PostgreSQL. Elles\npermettent \u00e0 un attaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9\ndes donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans PostgreSQL",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 PostgreSQL du 11 f\u00e9vrier 2021",
"url": "https://www.postgresql.org/about/news/postgresql-132-126-1111-1016-9621-and-9525-released-2165/"
}
]
}
cleanstart-2026-fw42039
Vulnerability from cleanstart
Published
2026-01-30 17:19
Modified
2026-01-29 18:58
Summary
vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT
Details
Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.6.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-FW42039",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T17:19:56.954092Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-FW42039"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-15098"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-15099"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7484"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7485"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7486"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7546"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7548"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-1052"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-1058"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-16850"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10129"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10130"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10208"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-14349"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-14350"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25694"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25695"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25696"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-20229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-23214"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32027"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32028"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32029"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-3393"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-3677"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41862"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2454"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2455"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-5870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7348"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-51476"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-51477"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15098"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15099"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7484"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7485"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7486"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7546"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7548"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1052"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1058"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16850"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10208"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14350"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25694"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25695"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25696"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23214"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32027"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32029"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3393"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7348"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51476"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51477"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT",
"upstream": [
"CVE-2017-15098",
"CVE-2017-15099",
"CVE-2017-7484",
"CVE-2017-7485",
"CVE-2017-7486",
"CVE-2017-7546",
"CVE-2017-7547",
"CVE-2017-7548",
"CVE-2018-1052",
"CVE-2018-1058",
"CVE-2018-16850",
"CVE-2019-10129",
"CVE-2019-10130",
"CVE-2019-10208",
"CVE-2019-10209",
"CVE-2020-14349",
"CVE-2020-14350",
"CVE-2020-25694",
"CVE-2020-25695",
"CVE-2020-25696",
"CVE-2021-20229",
"CVE-2021-23214",
"CVE-2021-32027",
"CVE-2021-32028",
"CVE-2021-32029",
"CVE-2021-3393",
"CVE-2021-3677",
"CVE-2022-2625",
"CVE-2022-41862",
"CVE-2023-2454",
"CVE-2023-2455",
"CVE-2023-39418",
"CVE-2023-5870",
"CVE-2024-7348",
"CVE-2025-51476",
"CVE-2025-51477"
]
}
cleanstart-2026-hj04971
Vulnerability from cleanstart
Published
2026-01-30 17:21
Modified
2026-01-29 18:58
Summary
vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT
Details
Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "postgresql"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.6.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-HJ04971",
"modified": "2026-01-29T18:58:54Z",
"published": "2026-01-30T17:21:56.808972Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-HJ04971"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-15098"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-15099"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7484"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7485"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7486"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7546"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2017-7548"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-1052"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-1058"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2018-16850"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10129"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10130"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10208"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2019-10209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-14349"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-14350"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25694"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25695"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2020-25696"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-20229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-23214"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32027"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32028"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-32029"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-3393"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2021-3677"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-41862"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2454"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-2455"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2023-5870"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-7348"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15098"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15099"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7484"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7485"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7486"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7546"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7548"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1052"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1058"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16850"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10208"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14350"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25694"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25695"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25696"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23214"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32027"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32029"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3393"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5870"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7348"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT",
"upstream": [
"CVE-2017-15098",
"CVE-2017-15099",
"CVE-2017-7484",
"CVE-2017-7485",
"CVE-2017-7486",
"CVE-2017-7546",
"CVE-2017-7547",
"CVE-2017-7548",
"CVE-2018-1052",
"CVE-2018-1058",
"CVE-2018-16850",
"CVE-2019-10129",
"CVE-2019-10130",
"CVE-2019-10208",
"CVE-2019-10209",
"CVE-2020-14349",
"CVE-2020-14350",
"CVE-2020-25694",
"CVE-2020-25695",
"CVE-2020-25696",
"CVE-2021-20229",
"CVE-2021-23214",
"CVE-2021-32027",
"CVE-2021-32028",
"CVE-2021-32029",
"CVE-2021-3393",
"CVE-2021-3677",
"CVE-2022-2625",
"CVE-2022-41862",
"CVE-2023-2454",
"CVE-2023-2455",
"CVE-2023-39418",
"CVE-2023-5870",
"CVE-2024-7348"
]
}
Title
PostgreSQL信息泄露漏洞(CNVD-2021-14796)
Description
PostgreSQL是一款自由的对象-关系型数据库服务器(数据库管理系统),在灵活的BSD-风格许可证下发行。
PostgreSQL存在信息泄露漏洞。攻击者可利用该漏洞可以通过权限绕过对数据的访问限制,以获取敏感信息。
Severity
中
Patch Name
PostgreSQL信息泄露漏洞(CNVD-2021-14796)的补丁
Patch Description
PostgreSQL是一款自由的对象-关系型数据库服务器(数据库管理系统),在灵活的BSD-风格许可证下发行。
PostgreSQL存在信息泄露漏洞。攻击者可利用该漏洞可以通过权限绕过对数据的访问限制,以获取敏感信息。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布了漏洞修复程序,请及时关注更新: https://www.postgresql.org/
Reference
https://nvd.nist.gov/vuln/detail/CVE-2021-20229
Impacted products
| Name | Postgresql PostgreSQL |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2021-20229",
"cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
}
},
"description": "PostgreSQL\u662f\u4e00\u6b3e\u81ea\u7531\u7684\u5bf9\u8c61-\u5173\u7cfb\u578b\u6570\u636e\u5e93\u670d\u52a1\u5668\uff08\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\uff09\uff0c\u5728\u7075\u6d3b\u7684BSD-\u98ce\u683c\u8bb8\u53ef\u8bc1\u4e0b\u53d1\u884c\u3002\n\nPostgreSQL\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u901a\u8fc7\u6743\u9650\u7ed5\u8fc7\u5bf9\u6570\u636e\u7684\u8bbf\u95ee\u9650\u5236\uff0c\u4ee5\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u4e86\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://www.postgresql.org/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2021-14796",
"openTime": "2021-03-07",
"patchDescription": "PostgreSQL\u662f\u4e00\u6b3e\u81ea\u7531\u7684\u5bf9\u8c61-\u5173\u7cfb\u578b\u6570\u636e\u5e93\u670d\u52a1\u5668\uff08\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\uff09\uff0c\u5728\u7075\u6d3b\u7684BSD-\u98ce\u683c\u8bb8\u53ef\u8bc1\u4e0b\u53d1\u884c\u3002\r\n\r\nPostgreSQL\u5b58\u5728\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u53ef\u4ee5\u901a\u8fc7\u6743\u9650\u7ed5\u8fc7\u5bf9\u6570\u636e\u7684\u8bbf\u95ee\u9650\u5236\uff0c\u4ee5\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "PostgreSQL\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-14796\uff09\u7684\u8865\u4e01",
"products": {
"product": "Postgresql PostgreSQL"
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229",
"serverity": "\u4e2d",
"submitTime": "2021-02-24",
"title": "PostgreSQL\u4fe1\u606f\u6cc4\u9732\u6f0f\u6d1e\uff08CNVD-2021-14796\uff09"
}
FKIE_CVE-2021-20229
Vulnerability from fkie_nvd - Published: 2021-02-23 18:15 - Updated: 2024-11-21 05:46
Severity
Summary
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=1925296 | Issue Tracking, Third Party Advisory | |
| secalert@redhat.com | https://security.gentoo.org/glsa/202105-32 | Third Party Advisory | |
| secalert@redhat.com | https://security.netapp.com/advisory/ntap-20210326-0005/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=1925296 | Issue Tracking, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202105-32 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20210326-0005/ | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| postgresql | postgresql | * | |
| redhat | software_collections | - | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 8.0 | |
| fedoraproject | fedora | 33 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"matchCriteriaId": "38EBA6FE-62E7-4865-ADCB-4F9E5F074F06",
"versionEndExcluding": "13.2",
"versionStartIncluding": "13.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*",
"matchCriteriaId": "749804DA-4B27-492A-9ABA-6BB562A6B3AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"matchCriteriaId": "E460AA51-FCDA-46B9-AE97-E6676AA5E194",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
},
{
"lang": "es",
"value": "Se ha encontrado un fallo en PostgreSQL en las versiones anteriores a la 13.2. Este fallo permite a un usuario con privilegio SELECT en una columna elaborar una consulta especial que devuelva todas las columnas de la tabla. La mayor amenaza de esta vulnerabilidad es la confidencialidad"
}
],
"id": "CVE-2021-20229",
"lastModified": "2024-11-21T05:46:10.477",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-23T18:15:13.473",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-32"
},
{
"source": "secalert@redhat.com",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-32"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
GHSA-43RR-WCJ9-H45W
Vulnerability from github – Published: 2022-02-15 01:44 – Updated: 2022-02-15 01:44
VLAI
Summary
Incorrect Authorization in PostgreSQL
Details
A flaw was found in PostgreSQL in versions before 13.2, before 12.6, before 11.11, before 10.16, before 9.6.21 and before 9.5.25. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Severity
4.3 (Medium)
{
"affected": [],
"aliases": [
"CVE-2021-20229"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-23T18:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in PostgreSQL in versions before 13.2, before 12.6, before 11.11, before 10.16, before 9.6.21 and before 9.5.25. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.",
"id": "GHSA-43rr-wcj9-h45w",
"modified": "2022-02-15T01:44:52Z",
"published": "2022-02-15T01:44:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-32"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20210326-0005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Incorrect Authorization in PostgreSQL"
}
GSD-2021-20229
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2021-20229",
"description": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.",
"id": "GSD-2021-20229",
"references": [
"https://www.suse.com/security/cve/CVE-2021-20229.html",
"https://advisories.mageia.org/CVE-2021-20229.html",
"https://security.archlinux.org/CVE-2021-20229"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2021-20229"
],
"details": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.",
"id": "GSD-2021-20229",
"modified": "2023-12-13T01:23:12.055308Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-20229",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "PostgreSQL",
"version": {
"version_data": [
{
"version_value": "postgresql 13.2, postgresql 12.6, postgresql 11.11, postgresql 10.16, postgresql 9.6.21, postgresql 9.5.25"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210326-0005/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"name": "GLSA-202105-32",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202105-32"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "13.2",
"versionStartIncluding": "13.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:software_collections:-:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2021-20229"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-863"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296",
"refsource": "MISC",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1925296"
},
{
"name": "https://security.netapp.com/advisory/ntap-20210326-0005/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20210326-0005/"
},
{
"name": "GLSA-202105-32",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202105-32"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 1.4
}
},
"lastModifiedDate": "2021-06-09T15:01Z",
"publishedDate": "2021-02-23T18:15Z"
}
}
}
MSRC_CVE-2021-20229
Vulnerability from csaf_microsoft - Published: 2021-02-02 00:00 - Updated: 2021-02-27 00:00Summary
A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Notes
Additional Resources: To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle
Disclaimer: The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
4.3 (Medium)
Affected products
Fixed
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 13064-12137 | — | ||
| Unresolved product id: 13065-12137 | — | ||
| Unresolved product id: 13066-12137 | — | ||
| Unresolved product id: 13067-12137 | — | ||
| Unresolved product id: 13068-12138 | — | ||
| Unresolved product id: 13069-12138 | — | ||
| Unresolved product id: 13070-12138 | — | ||
| Unresolved product id: 13071-12138 | — |
Known affected
8 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 12137-8 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12137-7 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12137-6 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12137-5 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12138-4 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12138-3 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12138-2 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 12138-1 | — |
Vendor Fix
fix
|
References
4 references
| URL | Category |
|---|---|
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
| https://support.microsoft.com/lifecycle | external |
| https://www.first.org/cvss | external |
| https://msrc.microsoft.com/csaf/vex/2021/msrc_cve… | self |
{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Public",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en-US",
"notes": [
{
"category": "general",
"text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
"title": "Additional Resources"
},
{
"category": "legal_disclaimer",
"text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
"title": "Disclaimer"
}
],
"publisher": {
"category": "vendor",
"contact_details": "secure@microsoft.com",
"name": "Microsoft Security Response Center",
"namespace": "https://msrc.microsoft.com"
},
"references": [
{
"category": "self",
"summary": "CVE-2021-20229 A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-20229.json"
},
{
"category": "external",
"summary": "Microsoft Support Lifecycle",
"url": "https://support.microsoft.com/lifecycle"
},
{
"category": "external",
"summary": "Common Vulnerability Scoring System",
"url": "https://www.first.org/cvss"
}
],
"title": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.",
"tracking": {
"current_release_date": "2021-02-27T00:00:00.000Z",
"generator": {
"date": "2025-12-27T19:08:30.433Z",
"engine": {
"name": "MSRC Generator",
"version": "1.0"
}
},
"id": "msrc_CVE-2021-20229",
"initial_release_date": "2021-02-02T00:00:00.000Z",
"revision_history": [
{
"date": "2021-02-27T00:00:00.000Z",
"legacy_version": "1",
"number": "1",
"summary": "Information published."
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0 x64",
"product_id": "12137"
}
},
{
"category": "product_version",
"name": "1.0",
"product": {
"name": "CBL Mariner 1.0 ARM",
"product_id": "12138"
}
}
],
"category": "product_name",
"name": "Azure Linux"
}
],
"category": "vendor",
"name": "Microsoft"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "12137-8"
},
"product_reference": "8",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "13064-12137"
},
"product_reference": "13064",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-libs-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "12137-7"
},
"product_reference": "7",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-libs-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "13065-12137"
},
"product_reference": "13065",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-devel-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "12137-6"
},
"product_reference": "6",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-devel-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "13066-12137"
},
"product_reference": "13066",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-debuginfo-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "12137-5"
},
"product_reference": "5",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-debuginfo-12.7-1.cm1.x86_64.rpm as a component of CBL Mariner 1.0 x64",
"product_id": "13067-12137"
},
"product_reference": "13067",
"relates_to_product_reference": "12137"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "12138-4"
},
"product_reference": "4",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "13068-12138"
},
"product_reference": "13068",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-libs-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "12138-3"
},
"product_reference": "3",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-libs-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "13069-12138"
},
"product_reference": "13069",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-devel-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "12138-2"
},
"product_reference": "2",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-devel-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "13070-12138"
},
"product_reference": "13070",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "\u003cpostgresql-debuginfo-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "12138-1"
},
"product_reference": "1",
"relates_to_product_reference": "12138"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql-debuginfo-12.7-1.cm1.aarch64.rpm as a component of CBL Mariner 1.0 ARM",
"product_id": "13071-12138"
},
"product_reference": "13071",
"relates_to_product_reference": "12138"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2021-20229",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"notes": [
{
"category": "general",
"text": "redhat",
"title": "Assigning CNA"
}
],
"product_status": {
"fixed": [
"13064-12137",
"13065-12137",
"13066-12137",
"13067-12137",
"13068-12138",
"13069-12138",
"13070-12138",
"13071-12138"
],
"known_affected": [
"12137-8",
"12137-7",
"12137-6",
"12137-5",
"12138-4",
"12138-3",
"12138-2",
"12138-1"
]
},
"references": [
{
"category": "self",
"summary": "CVE-2021-20229 A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. - VEX",
"url": "https://msrc.microsoft.com/csaf/vex/2021/msrc_cve-2021-20229.json"
}
],
"remediations": [
{
"category": "vendor_fix",
"date": "2021-02-27T00:00:00.000Z",
"details": "12.7-1:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
"product_ids": [
"12137-8",
"12137-7",
"12137-6",
"12137-5",
"12138-4",
"12138-3",
"12138-2",
"12138-1"
],
"url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"environmentalsScore": 0.0,
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"temporalScore": 4.3,
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"12137-8",
"12137-7",
"12137-6",
"12137-5",
"12138-4",
"12138-3",
"12138-2",
"12138-1"
]
}
],
"title": "A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality."
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…