Memory Exposure Vulnerability in PostgreSQL by PostgreSQL Global Development Group
CVE-2021-3677

6.5MEDIUM

Key Information:

Vendor: Postgresql
Status: Postgresql
Vendor: CVE Published:; 2 March 2022

Summary

A vulnerability in PostgreSQL allows authenticated users to execute specially crafted queries that can read arbitrary bytes from the server's memory. This flaw can be exploited without the need for additional privileges, making it a significant risk in default configurations. The severity of the attack can vary depending on the server settings, specifically if 'max_worker_processes' is set to 0, making some known exploit variants infeasible. However, there may exist undiscovered attack variants that are not limited by this server configuration. Database administrators should assess their systems to ensure they are protected against this memory exposure risk.

Affected Version(s)

postgresql Fixedin v13.4, v12.8, v11.13

References

https://www.postgresql.org/support/security/CVE-2021-3677/

https://bugzilla.redhat.com/show_bug.cgi?id=2001857

https://security.netapp.com/advisory/ntap-20220407-0008/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 2, 2022
Vulnerability Reserved
Aug 3, 2021