postgres: Single-column SELECT privilege enables reading all columns (CVE-2021-20229)
A security issue was found in PostgreSQL 13 before version 13.2. A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table. Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed.
Affects
- edge: postgres-13.1-r2
- v3.13: postgres-13.1-r2
References
Fixed in
- Postgres 13.2