Vulnerability CVE-2021-3393

Vulnerability Name:

CVE-2021-3393 (CCN-199296)

Assigned:

2021-02-02

Published:

2021-02-02

Updated:

2021-06-04

Summary:

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

CVSS v3 Severity:

4.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.1 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.7 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

3.1 Low (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
2.7 Low (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

2.1 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-209

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2021-3393

Source: CCN
Type: Red Hat Bugzilla - Bug 1924005
(CVE-2021-3393) - CVE-2021-3393 postgresql: Partition constraint violation errors leak values of denied columns

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1924005

Source: XF
Type: UNKNOWN
postgresql-cve20213393-info-disc(199296)

Source: GENTOO
Type: Third Party Advisory
GLSA-202105-32

Source: CONFIRM
Type: Third Party Advisory
https://security.netapp.com/advisory/ntap-20210507-0006/

Source: CCN
Type: IBM Security Bulletin 6456215 (Connect:Direct Web Services)
Security Bypass Vulnerability in PostgreSQL Affects IBM Connect:Direct Web Services ( CVE-2021-3393)

Source: CCN
Type: IBM Security Bulletin 6538418 (Security Verify Access)
Multiple Security Vulnerabilities fixed in IBM Security Verify Access

Source: CCN
Type: PostgreSQL Web site
PostgreSQL

Vulnerable Configuration:

Configuration 1:

cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version < 11.11)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 12.0 and < 12.6)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 13.0 and < 13.2)

Configuration 2:

cpe:/a:redhat:software_collections:-:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration CCN 1:

cpe:/a:postgresql:postgresql:11.10:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:12.5:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:13.1:*:*:*:*:*:*:*

AND

cpe:/a:ibm:security_verify_access:10.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8015	P	google-gson-2.8.9-150200.3.10.3 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8014	P	go1.20-1.20.4-150000.1.11.1 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:8089	P	postgresql14-14.8-150200.5.26.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7459	P	cairo-devel-1.16.0-150400.9.6 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:7649	P	libpq5-15.3-150200.5.9.1 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:3447	P	bubblewrap-0.3.3-1.31 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3563	P	libXpm4-3.5.11-5.1 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3487	P	file-5.22-10.12.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3564	P	libXrandr2-1.5.0-6.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:3061	P	elfutils-0.158-7.7.2 on GA media (Moderate)	2022-06-28
oval:org.opensuse.security:def:94676	P	libopenssl-3-devel-3.0.1-150400.2.4 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95077	P	postgresql13-13.6-5.25.1 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:95117	P	libecpg6-14.2-5.9.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94675	P	libopenssl-1_1-devel-1.1.1l-150400.5.14 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:94691	P	libpq5-14.2-5.9.2 on GA media (Moderate)	2022-06-22
oval:org.opensuse.security:def:184	P	libpq5-13.2-5.6.1 on GA media (Moderate)	2022-06-13
oval:org.opensuse.security:def:93168	P	(Important)	2022-03-07
oval:org.opensuse.security:def:93321	P	(Moderate)	2022-02-04
oval:org.opensuse.security:def:112621	P	libecpg6-13.4-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113158	P	postgresql11-11.13-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:113160	P	postgresql12-12.8-1.3 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:99211	P	(Moderate)	2022-01-11
oval:org.opensuse.security:def:106104	P	libecpg6-13.4-1.3 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106584	P	postgresql11-11.13-1.3 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:106585	P	postgresql12-12.8-1.3 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:102209	P	Security update for linuxptp (Moderate)	2021-09-23
oval:org.opensuse.security:def:102208	P	Security update for xen (Moderate)	2021-09-18
oval:org.opensuse.security:def:99408	P	(Moderate)	2021-08-23
oval:org.opensuse.security:def:2249	P	libecpg6-13.2-5.6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101389	P	postgresql-contrib-13-8.30 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63101	P	postgresql12-12.6-8.16.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63338	P	libecpg6-13.2-5.6.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:2012	P	postgresql12-12.6-8.16.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:101388	P	ovmf-202008-8.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62202	P	libpq5-13.2-5.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:100960	P	libpq5-13.2-5.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:1113	P	libpq5-13.2-5.6.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:71943	P	libpq5-13.2-5.6.1 on GA media (Moderate)	2021-08-09
oval:com.redhat.rhsa:def:20212372	P	RHSA-2021:2372: postgresql:12 security update (Important)	2021-06-10
oval:org.opensuse.security:def:34443	P	Security update for postgresql12 (Moderate)	2021-05-27
oval:org.opensuse.security:def:26059	P	Security update for postgresql12 (Moderate)	2021-05-27
oval:org.opensuse.security:def:60266	P	Security update for postgresql12 (Moderate)	2021-05-27
oval:org.opensuse.security:def:5046	P	Security update for postgresql12 (Moderate)	2021-05-27
oval:org.opensuse.security:def:111270	P	Security update for postgresql12 (Moderate)	2021-03-16
oval:org.opensuse.security:def:99607	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:93015	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:69997	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:99016	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:9857	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:92458	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:99806	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:8905	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:70548	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:10408	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:92657	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:100118	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:9100	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:92066	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:92856	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:69798	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:97264	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:9658	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:92261	P	Security update for postgresql12 (Moderate)	2021-03-03
oval:org.opensuse.security:def:68548	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:102597	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:108875	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:73774	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:95884	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:5184	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:94008	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:100709	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:64653	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:108054	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:58904	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:118547	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:5948	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:34635	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:69103	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:102785	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:109263	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:73775	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:96095	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:117568	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:97229	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:94219	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:26197	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:67036	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:108055	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:118548	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:95495	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:69104	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:102786	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:109451	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:76104	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:96096	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:117569	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:97230	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:94430	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:33081	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:67037	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:108874	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:60458	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:95496	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:93793	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:100375	P	(Moderate)	2021-02-22
oval:org.opensuse.security:def:109452	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:64652	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:76105	P	Security update for postgresql12 (Moderate)	2021-02-22
oval:org.opensuse.security:def:87545	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:118348	P	Security update for postgresql13 (Moderate)	2021-02-22
oval:org.opensuse.security:def:5947	P	Security update for postgresql13 (Moderate)	2021-02-22

BACK