Vulnerability Name:

CVE-2021-20229 (CCN-197301)

Assigned:2020-12-17
Published:2021-02-23
Updated:2021-06-09
Summary:A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
CVSS v3 Severity:4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-863
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-20229

Source: CCN
Type: Red Hat Bugzilla - Bug 1925296
(CVE-2021-20229) - CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all columns

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1925296

Source: XF
Type: UNKNOWN
postgresql-cve202120229-info-disc(197301)

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-32

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210326-0005/

Source: CCN
Type: IBM Security Bulletin 6449972 (Data Risk Manager)
IBM Data Risk Manager is affected by multiple vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6456211 (Connect:Direct Web Services)
Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services (CVE-2021-20229)

Source: CCN
Type: PostgreSQL Web site
PostgreSQL

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2021-20229

Vulnerable Configuration:Configuration 1:
  • cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.2)

    • Configuration 2:
  • cpe:/a:redhat:software_collections:-:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
  • OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

    • Configuration 3:
  • cpe:/o:fedoraproject:fedora:33:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:postgresql:postgresql:9.5.24:*:*:*:*:*:*:*
  • OR cpe:/a:postgresql:postgresql:9.6.20:*:*:*:*:*:*:*
  • OR cpe:/a:postgresql:postgresql:10.15:*:*:*:*:*:*:*
  • OR cpe:/a:postgresql:postgresql:11.10:*:*:*:*:*:*:*
  • OR cpe:/a:postgresql:postgresql:12.5:*:*:*:*:*:*:*
  • OR cpe:/a:postgresql:postgresql:13.1:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:data_risk_manager:2.0.6:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8014
    P
    		go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7459
    P
    		cairo-devel-1.16.0-150400.9.6 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7649
    P
    		libpq5-15.3-150200.5.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:8089
    P
    		postgresql14-14.8-150200.5.26.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:3061
    P
    		elfutils-0.158-7.7.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3563
    P
    		libXpm4-3.5.11-5.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3447
    P
    		bubblewrap-0.3.3-1.31 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3487
    P
    		file-5.22-10.12.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94691
    P
    		libpq5-14.2-5.9.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95077
    P
    		postgresql13-13.6-5.25.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94675
    P
    		libopenssl-1_1-devel-1.1.1l-150400.5.14 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95117
    P
    		libecpg6-14.2-5.9.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:184
    P
    		libpq5-13.2-5.6.1 on GA media (Moderate)
    2022-06-13
    oval:org.opensuse.security:def:112621
    P
    		libecpg6-13.4-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106104
    P
    		libecpg6-13.4-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:102208
    P
    		Security update for xen (Moderate)
    2021-09-18
    oval:org.opensuse.security:def:101388
    P
    		ovmf-202008-8.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:2249
    P
    		libecpg6-13.2-5.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:63338
    P
    		libecpg6-13.2-5.6.1 on GA media (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:62202
    P
    		libpq5-13.2-5.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:71943
    P
    		libpq5-13.2-5.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:100960
    P
    		libpq5-13.2-5.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:1113
    P
    		libpq5-13.2-5.6.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:118547
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:94430
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:26197
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:97229
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:68548
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:76104
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:5184
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:93793
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:108874
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:100375
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:95884
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:33081
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:69103
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:58904
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:117568
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:94008
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:109263
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:100709
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:96095
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:64652
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:34635
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:102597
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:60458
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:118348
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:5947
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:94219
    P
    		 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:109451
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:87545
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:67036
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:73774
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:108054
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:102785
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    oval:org.opensuse.security:def:95495
    P
    		Security update for postgresql13 (Moderate)
    2021-02-22
    BACK
    postgresql postgresql *
    redhat software collections -
    redhat enterprise linux 7.0
    redhat enterprise linux 8.0
    fedoraproject fedora 33
    postgresql postgresql 9.5.24
    postgresql postgresql 9.6.20
    postgresql postgresql 10.15
    postgresql postgresql 11.10
    postgresql postgresql 12.5
    postgresql postgresql 13.1
    ibm data risk manager 2.0.6