Vulnerability Name:

CVE-2021-32029 (CCN-207909)

Assigned:2021-05-13
Published:2021-05-13
Updated:2022-08-05
Summary:A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.
CVSS v3 Severity:6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
6.5 Medium (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-125
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2021-32029

Source: CCN
Type: Red Hat Bugzilla – Bug 1956883
(CVE-2021-32029) - CVE-2021-32029 postgresql: Memory disclosure in partitioned-table UPDATE ... RETURNING

Source: MISC
Type: Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1956883

Source: XF
Type: UNKNOWN
postgresql-cve202132029-info-disc(207909)

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20211112-0003/

Source: CCN
Type: IBM Security Bulletin 6492933 (Sterling Connect:Direct for Microsoft Windows)
PostgreSQL Vulnerability Affects IBM Sterling Connect:Direct for Microsoft Windows (CVE-2021-32029)

Source: CCN
Type: IBM Security Bulletin 6496681 (API Connect)
IBM API Connect is impacted by a vulnerability in PostgreSQL (CVE-2021-32029)

Source: CCN
Type: IBM Security Bulletin 6518584 (Connect:Direct Web Services)
PostgreSQL Sensitive Information Exposure Vulnerability Affects IBM Connect:Direct Web Services (CVE-2021-32029)

Source: CCN
Type: IBM Security Bulletin 6525250 (Spectrum Copy Data Management)
Vulnerabilities in PostgreSQL, Apache, Golang Go, and Linux Kernel affect IBM Spectrum Copy Data Management

Source: CCN
Type: IBM Security Bulletin 6538418 (Security Verify Access)
Multiple Security Vulnerabilities fixed in IBM Security Verify Access

Source: CCN
Type: PostgreSQL Web site
Memory disclosure in partitioned-table UPDATE ... RETURNING

Source: MISC
Type: Vendor Advisory
https://www.postgresql.org/support/security/CVE-2021-32029/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.3)
  • OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.7)
  • OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.12)

  • Configuration 2:
  • cpe:/a:redhat:jboss_enterprise_application_platform:7.0.0:*:*:*:*:*:*:*

  • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

  • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:ibm:sterling_connect:direct:6.0:*:*:*:microsoft_windows:*:*:*
  • OR cpe:/a:ibm:api_connect:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_verify_access:10.0.1.0:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8029
    P
    kernel-docs-5.14.21-150500.53.2 on GA media (Moderate)
    2023-06-20
    oval:org.opensuse.security:def:7649
    P
    libpq5-15.3-150200.5.9.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7466
    P
    coreutils-8.32-150400.7.5 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:8089
    P
    postgresql14-14.8-150200.5.26.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7957
    P
    libplist++-devel-2.0.0-1.31 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:7968
    P
    libvdpau-devel-1.1.1-150000.3.2.1 on GA media (Moderate)
    2023-06-12
    oval:org.opensuse.security:def:706
    P
    Security update for perl-HTTP-Daemon (Moderate)
    2022-08-23
    oval:org.opensuse.security:def:95291
    P
    Security update for keylime (Important)
    2022-08-03
    oval:org.opensuse.security:def:95252
    P
    Security update for apache2 (Important)
    2022-07-06
    oval:org.opensuse.security:def:3487
    P
    file-5.22-10.12.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3440
    P
    automake-1.13.4-6.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3607
    P
    libidn-tools-1.28-5.6.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3061
    P
    elfutils-0.158-7.7.2 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3447
    P
    bubblewrap-0.3.3-1.31 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:3421
    P
    PackageKit-1.1.3-24.9.1 on GA media (Moderate)
    2022-06-28
    oval:org.opensuse.security:def:94552
    P
    freetype2-devel-2.10.1-4.8.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94691
    P
    libpq5-14.2-5.9.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95077
    P
    postgresql13-13.6-5.25.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:94533
    P
    cyrus-sasl-2.1.27-150300.4.6.1 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:95117
    P
    libecpg6-14.2-5.9.2 on GA media (Moderate)
    2022-06-22
    oval:org.opensuse.security:def:6062
    P
    Security update for librelp (Moderate)
    2022-05-31
    oval:org.opensuse.security:def:101965
    P
    Security update for the Linux Kernel (Live Patch 13 for SLE 15 SP3) (Important)
    2022-04-15
    oval:org.opensuse.security:def:102004
    P
    Security update for the Linux Kernel (Live Patch 10 for SLE 15 SP3) (Critical)
    2022-02-16
    oval:org.opensuse.security:def:6022
    P
    Security update for aide (Important)
    2022-01-20
    oval:org.opensuse.security:def:113160
    P
    postgresql12-12.8-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:112621
    P
    libecpg6-13.4-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:113158
    P
    postgresql11-11.13-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106104
    P
    libecpg6-13.4-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106584
    P
    postgresql11-11.13-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:106585
    P
    postgresql12-12.8-1.3 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:97001
    P
    dhcp-relay-4.3.5-4.15 on GA media (Moderate)
    2021-09-21
    oval:org.opensuse.security:def:101246
    P
    ant-1.10.7-4.3.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:101265
    P
    git-2.26.2-3.31.1 on GA media (Moderate)
    2021-08-09
    oval:org.opensuse.security:def:111554
    P
    Security update for postgresql13 (Moderate)
    2021-07-19
    oval:org.opensuse.security:def:68555
    P
    Security update for postgresql13 (Moderate)
    2021-07-11
    oval:org.opensuse.security:def:1465
    P
    Security update for postgresql13 (Moderate)
    2021-07-11
    oval:org.opensuse.security:def:111586
    P
    Security update for postgresql12 (Moderate)
    2021-07-10
    oval:org.opensuse.security:def:67151
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:117446
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:109405
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:76219
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:67561
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:108670
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:101870
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:69057
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:66832
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:64529
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:75900
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:96049
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:107931
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:73651
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:6472
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:102739
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:97073
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:118501
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:org.opensuse.security:def:5743
    P
    Security update for postgresql12 (Moderate)
    2021-06-17
    oval:com.redhat.rhsa:def:20212372
    P
    RHSA-2021:2372: postgresql:12 security update (Important)
    2021-06-10
    oval:com.redhat.rhsa:def:20212375
    P
    RHSA-2021:2375: postgresql:13 security update (Important)
    2021-06-10
    oval:org.opensuse.security:def:32929
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:108631
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:60267
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:101437
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:73818
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:7422
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:95847
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:69046
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:94377
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:66793
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:1606
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:99948
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:5046
    P
    Security update for postgresql12 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:34443
    P
    Security update for postgresql12 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:93739
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:64510
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:75861
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:102560
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:96038
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:118311
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:26059
    P
    Security update for postgresql12 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:107912
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:58752
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:100283
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:73632
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:5047
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:34444
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:68511
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:93954
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:109226
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:102728
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:118490
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:5704
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:69118
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:26060
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:67111
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:60266
    P
    Security update for postgresql12 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:100612
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:117427
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:94165
    P
    (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:109394
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:64696
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:76179
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    oval:org.opensuse.security:def:87393
    P
    Security update for postgresql13 (Moderate)
    2021-05-27
    BACK
    postgresql postgresql *
    postgresql postgresql *
    postgresql postgresql *
    redhat jboss enterprise application platform 7.0.0
    ibm sterling connect:direct 6.0
    ibm api connect 10.0.0.0
    ibm security verify access 10.0.0
    ibm security verify access 10.0.2.0
    ibm security verify access 10.0.1.0