CVE-2021-3393

Description

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

How to fix CVE-2021-3393

To remediate CVE-2021-3393, upgrade the affected package to a fixed version below.

• —upgrade to 11.11-r0 or later
• —upgrade to 13.2-r0 or later
• —upgrade to 13.2-r0 or later
• —upgrade to 13.2-r0 or later
• —upgrade to 11.11.0 or later
• —upgrade to 13.2-1 or later

Is CVE-2021-3393 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (6)

• from 0, < 11.11-r0
• from 0, < 13.2-r0
• from 0, < 13.2-r0
• from 0, < 13.2-r0
• from 0, < 11.11.0, >= 12.0.0, < 12.6.0, >= 13.0.0, < 13.2.0
• from 0, < 13.2-1

CVSS scores

References (6)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2021-3393
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2021-3393
• WEBbugzilla.redhat.com/show_bug.cgi?id=1924005
• WEBnvd.nist.gov/vuln/detail/CVE-2021-3393
• WEB