1925296 – (CVE-2021-20229) CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all columns

Bug 1925296 (CVE-2021-20229) - CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all columns

Summary: CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all...

Keywords:
Status:	NEW
Alias:	CVE-2021-20229
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	Red Hat1927601 Red Hat1927602 Red Hat1927603 Red Hat1927604 Red Hat1927605 Red Hat1927606 1927859 1927860 1927861 1927862 1927863 1927864 Red Hat1967266 Red Hat1967267 Red Hat1967278 Red Hat1967279 Red Hat1967280 Red Hat1967281 Red Hat1967282 Red Hat1967283
Blocks:	Embargoed1925298 Red Hat1925300
TreeView+	depends on / blocked

Reported:	2021-02-04 19:53 UTC by Guilherme de Almeida Suckevicz
Modified:	2023-05-31 22:25 UTC (History)
CC List:	62 users (show)
Fixed In Version:	postgresql 13.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in PostgreSQL. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-02-04 19:53:05 UTC

A user having SELECT privilege on one column can craft a special query that returns all columns of the table.

The PostgreSQL project thanks Sven Klemm for reporting this problem.

Comment 1 Guilherme de Almeida Suckevicz 2021-02-04 19:53:14 UTC

Acknowledgments:

Name: Sven Klemm

Comment 3 Guilherme de Almeida Suckevicz 2021-02-11 17:02:04 UTC

Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927862]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927861]


Created postgresql:10/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927860]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927864]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927863]


Created postgresql:9.6/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927859]

Comment 5 Tom Lane 2021-03-05 14:43:57 UTC

Hey folks, this bug only affects Postgres 13.x, not earlier release branches.  See

https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=c028faf2a

Comment 6 Tomas Hoger 2021-06-04 08:23:19 UTC

Upstream advisory:

https://www.postgresql.org/support/security/CVE-2021-20229/

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
anon.amish
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
brian.stansberry
cdewolf
chazlett
clement.escoffier
dandread
darran.lofthouse
databases-maint
devrim
dkreling
dosoudil
eleandro
gmalinko
gsmet
hamadhan
hhorak
ibek
iweiss
janstey
jmlich83
jochrist
jorton
jpallich
jperkins
jwon
kaycoth
kverlaen
kwills
lgao
lthon
mike
mnovotny
msochure
msvehla
nwallace
panovotn
pgallagh
pjindal
pkubat
pmackay
praiskup
probinso
rguimara
rruss
rstancel
rsvoboda
sbiarozk
sdaley
sdouglas
security-response-team
smaestri
tgl
tom.jenkinson