Memory leak in PostgreSQL - CVE-2021-32029

 

Memory leak in PostgreSQL - CVE-2021-32029

Published: May 13, 2021


Vulnerability identifier: #VU53233
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-32029
CWE-ID: CWE-401
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: PostgreSQL Global Development Group
Affected software:
PostgreSQL

Detailed vulnerability description

The vulnerability allows a remote user to gain access to sensitive information.

The vulnerability exists due memory leak when processing UPDATE ... RETURNING command on a purpose-crafted partitioned table. A remote authenticated user can run the affected command and read arbitrary bytes of server memory. In the default configuration, any authenticated database user can create prerequisite objects and complete this attack at will.


How to mitigate CVE-2021-32029

Install updates from vendor's website.

Sources