CVE-2021-3393

Public on 2021-04-01

Modified on 2024-06-13

Description

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

Severity

Medium

CVSS v3 Base Score

4.3

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory	Status
Amazon Linux 2 - Postgresql13 Extra	postgresql			Not Affected
Amazon Linux 2 - Postgresql12 Extra	postgresql	2023-08-07	ALAS2POSTGRESQL12-2023-004	Fixed
Amazon Linux 2023	postgresql15			Not Affected
Amazon Linux 1	postgresql96			Not Affected

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
NVD	CVSSv2	3.5	AV:N/AC:M/Au:S/C:P/I:N/A:N
NVD	CVSSv3	4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Red Hat: CVE-2021-3393 Mitre: CVE-2021-3393