An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.
The product generates an error message that includes sensitive information about its environment, users, or associated data.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Postgresql | Postgresql | * | 11.11 (excluding) |
Postgresql | Postgresql | 12.0 (including) | 12.6 (excluding) |
Postgresql | Postgresql | 13.0 (including) | 13.2 (excluding) |
Red Hat Enterprise Linux 8 | RedHat | postgresql:12-8040020210604112312.522a0ee4 | * |
Red Hat Enterprise Linux 8.2 Extended Update Support | RedHat | postgresql:12-8020020210602190140.4cda2c84 | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7 | RedHat | rh-postgresql12-postgresql-0:12.7-1.el7 | * |
Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | RedHat | rh-postgresql12-postgresql-0:12.7-1.el7 | * |
Postgresql-10 | Ubuntu | upstream | * |
Postgresql-12 | Ubuntu | esm-infra/focal | * |
Postgresql-12 | Ubuntu | focal | * |
Postgresql-12 | Ubuntu | groovy | * |
Postgresql-12 | Ubuntu | trusty | * |
Postgresql-12 | Ubuntu | upstream | * |
Postgresql-13 | Ubuntu | devel | * |
Postgresql-13 | Ubuntu | trusty | * |
Postgresql-13 | Ubuntu | upstream | * |
Postgresql-9.1 | Ubuntu | trusty | * |
Postgresql-9.3 | Ubuntu | trusty | * |