CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.4%
Severity: Medium
Date : 2021-06-01
CVE-ID : CVE-2021-32027 CVE-2021-32028 CVE-2021-32029
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1956
The package postgresql before version 13.3-1 is vulnerable to multiple
issues including arbitrary code execution and information disclosure.
Upgrade to 13.3-1.
The problems have been fixed upstream in version 13.3.
None.
A security issue was found in PostgreSQL before version 13.3. While
modifying certain SQL array values, missing bounds checks let
authenticated database users write arbitrary bytes to a wide area of
server memory.
A security issue was found in PostgreSQL before version 13.3. Using an
INSERT … ON CONFLICT … DO UPDATE command on a purpose-crafted
table, an attacker can read arbitrary bytes of server memory. In the
default configuration, any authenticated database user can create
prerequisite objects and complete this attack at will. A user lacking
the CREATE and TEMPORARY privileges on all databases and the CREATE
privilege on all schemas cannot use this attack at will.
A security issue was found in PostgreSQL before version 13.3. Using an
UPDATE … RETURNING on a purpose-crafted partitioned table, an
attacker can read arbitrary bytes of server memory. In the default
configuration, any authenticated database user can create prerequisite
objects and complete this attack at will. A user lacking the CREATE and
TEMPORARY privileges on all databases and the CREATE privilege on all
schemas typically cannot use this attack at will.
An authenticated remote attacker could read the database server memory
or execute arbitrary code on the server.
https://www.postgresql.org/support/security/CVE-2021-32027/
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=467395bfdf33f1ccf67ca388ffdcc927271544cb
https://www.postgresql.org/support/security/CVE-2021-32028/
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f
https://www.postgresql.org/support/security/CVE-2021-32029/
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a71cfc56bf6013e3ea1d673acaf73fe7ebbd6bf3
https://security.archlinux.org/CVE-2021-32027
https://security.archlinux.org/CVE-2021-32028
https://security.archlinux.org/CVE-2021-32029
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | postgresql | < 13.3-1 | UNKNOWN |
git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=467395bfdf33f1ccf67ca388ffdcc927271544cb
git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=4a8656a7ee0c155b0249376af58eb3fc3a90415f
git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a71cfc56bf6013e3ea1d673acaf73fe7ebbd6bf3
security.archlinux.org/AVG-1956
security.archlinux.org/CVE-2021-32027
security.archlinux.org/CVE-2021-32028
security.archlinux.org/CVE-2021-32029
www.postgresql.org/support/security/CVE-2021-32027/
www.postgresql.org/support/security/CVE-2021-32028/
www.postgresql.org/support/security/CVE-2021-32029/
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
80.4%