CVE-2021-3393
postgresql: Partition constraint violation errors leak values of denied columns
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.
Se detectó un filtrado de información en postgresql en versiones anteriores a 13.2, versiones anteriores a 12.6 y versiones anteriores a 11.11. Un usuario que tenga el permiso UPDATE pero no el permiso SELECT para una columna en particular podría diseñar consultas que, en algunas circunstancias, podrían divulgar valores de esa columna en mensajes de error. Un atacante podría usar este fallo para obtener información almacenada en una columna que puede escribir pero no leer.
An information leak was discovered in postgresql. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.
An update that solves one vulnerability and has one errata is now available. This update for postgresql12 fixes the following issues. Upgrade to version 12.6. Fixed information leakage in constraint-violation error messages. This update was imported from the SUSE:SLE-15-SP1:Update update project.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-02-02 CVE Reserved
- 2021-02-15 CVE Published
- 2024-08-03 CVE Updated
- 2025-05-31 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-209: Generation of Error Message Containing Sensitive Information
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://security.netapp.com/advisory/ntap-20210507-0006 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://bugzilla.redhat.com/show_bug.cgi?id=1924005 | 2021-06-04 | |
| https://security.gentoo.org/glsa/202105-32 | 2021-06-04 | |
| https://access.redhat.com/security/cve/CVE-2021-3393 | 2021-06-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | < 11.11 Search vendor "Postgresql" for product "Postgresql" and version " < 11.11" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | >= 12.0 < 12.6 Search vendor "Postgresql" for product "Postgresql" and version " >= 12.0 < 12.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | >= 13.0 < 13.2 Search vendor "Postgresql" for product "Postgresql" and version " >= 13.0 < 13.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Software Collections Search vendor "Redhat" for product "Software Collections" | - | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||