Main Vulnerability Database Vulnerabilities #VU53232

Memory leak in PostgreSQL - CVE-2021-32028

Published: May 13, 2021

Vulnerability identifier: #VU53232

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-32028

CWE-ID: CWE-401

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: PostgreSQL Global Development Group

Affected software:
PostgreSQL

Detailed vulnerability description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due memory leak within the INSERT ... ON CONFLICT ... DO UPDATE command implementation. A remote authenticated database user can execute the affected command to read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will.

How to mitigate CVE-2021-32028

Install updates from vendor's website.

Sources

https://www.postgresql.org/about/news/postgresql-133-127-1112-1017-and-9622-released-2210/

Memory leak in PostgreSQL - CVE-2021-32028

Detailed vulnerability description

How to mitigate CVE-2021-32028

Sources

Please verify you're human