CVE-2021-3393: Medium severity postgresql common vulnerability

Published Feb 2, 2021
·
Updated

A user having some UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may nonetheless be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions for exploitation are more rare.

The PostgreSQL project thanks Heikki Linnakangas for reporting this problem.

Other sources

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

MITRE

PostgreSQL could allow a remote authenticated attacker to obtain sensitive information, caused by a flaw in the error messages. By sending a specially-crafted query, an attacker could exploit this vulnerability to obtain sensitive information from a column they have UPDATE permission but not SELECT permission to, and use this information to launch further attacks against the affected system.

IBM

Affected Software

9 affected componentsFixes available
redhat/postgresql<13.2
13.2
redhat/postgresql<12.6
12.6
redhat/postgresql<11.11
11.11
PostgreSQL postgresql<11.11
PostgreSQL postgresql>=12.0<12.6
PostgreSQL postgresql>=13.0<13.2
redhat Software Collections
redhat Enterprise Linux=8.0
IBM Security Verify Access<=10.0.0

Event History

Apr 1, 2021
CVE Published
via MITRE·01:46 PM
Data Sourced
via MITRE·01:46 PM
DescriptionWeakness

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2021-3393?

CVE-2021-3393 is an information leak vulnerability in PostgreSQL versions before 13.2, before 12.6, and before 11.11.

2

How can a remote authenticated attacker exploit CVE-2021-3393?

A remote authenticated attacker can exploit CVE-2021-3393 by crafting queries that may disclose values from a specific column in error messages.

3

What is the severity of CVE-2021-3393?

CVE-2021-3393 has a severity rating of 4.3, which is considered medium.

4

Which versions of PostgreSQL are affected by CVE-2021-3393?

Versions before 13.2, before 12.6, and before 11.11 of PostgreSQL are affected by CVE-2021-3393.

5

Where can I find more information about CVE-2021-3393?

You can find more information about CVE-2021-3393 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2014-8161), [Reference 2](https://bugzilla.redhat.com/show_bug.cgi?id=1927868), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi?id=1927867).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203