Bug 1925296 (CVE-2021-20229) - CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all columns
Summary: CVE-2021-20229 postgresql: single-column SELECT privilege enables reading all...
Keywords:
Status: NEW
Alias: CVE-2021-20229
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: Red Hat1927601 Red Hat1927602 Red Hat1927603 Red Hat1927604 Red Hat1927605 Red Hat1927606 1927859 1927860 1927861 1927862 1927863 1927864 Red Hat1967266 Red Hat1967267 Red Hat1967278 Red Hat1967279 Red Hat1967280 Red Hat1967281 Red Hat1967282 Red Hat1967283
Blocks: Embargoed1925298 Red Hat1925300
TreeView+ depends on / blocked
 
Reported: 2021-02-04 19:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-05-31 22:25 UTC (History)
62 users (show)

Fixed In Version: postgresql 13.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in PostgreSQL. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-02-04 19:53:05 UTC
A user having SELECT privilege on one column can craft a special query that returns all columns of the table.

The PostgreSQL project thanks Sven Klemm for reporting this problem.

Comment 1 Guilherme de Almeida Suckevicz 2021-02-04 19:53:14 UTC
Acknowledgments:

Name: Sven Klemm

Comment 3 Guilherme de Almeida Suckevicz 2021-02-11 17:02:04 UTC
Created mingw-postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927862]


Created postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927861]


Created postgresql:10/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927860]


Created postgresql:11/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927864]


Created postgresql:12/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927863]


Created postgresql:9.6/postgresql tracking bugs for this issue:

Affects: fedora-all [bug 1927859]

Comment 5 Tom Lane 2021-03-05 14:43:57 UTC
Hey folks, this bug only affects Postgres 13.x, not earlier release branches.  See

https://git.postgresql.org/gitweb/?p=postgresql.git&a=commitdiff&h=c028faf2a

Comment 6 Tomas Hoger 2021-06-04 08:23:19 UTC
Upstream advisory:

https://www.postgresql.org/support/security/CVE-2021-20229/


Note You need to log in before you can comment on or make changes to this bug.