CVE-2021-32028

Public on 2021-10-11

Modified on 2024-05-16

Description

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

Severity

Medium

CVSS v3 Base Score

6.5

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Postgresql11 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL11-2023-003	Fixed
Amazon Linux 2 - Postgresql12 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL12-2023-004	Fixed
Amazon Linux 2 - Postgresql13 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL13-2023-003	Fixed
Amazon Linux 2023	postgresql15			Not Affected
Amazon Linux 1	postgresql96			Pending Fix

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
NVD	CVSSv2	4.0	AV:N/AC:L/Au:S/C:P/I:N/A:N
NVD	CVSSv3	6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Red Hat: CVE-2021-32028 Mitre: CVE-2021-32028