postgres: Partition constraint violation errors leak values of denied columns (CVE-2021-3393)
CVE-2021-3393 Partition constraint violation errors leak values of denied columns
A security issue was found in PostgreSQL 11 to 13 before version 13.2. A user having an UPDATE privilege on a partitioned table but lacking the SELECT privilege on some column may be able to acquire denied-column values from an error message. This is similar to CVE-2014-8161, but the conditions to exploit are more rare.
Affects
- edge: postgres-13.1-r2
- v3.13: postgres-13.1-r2
- v3.12: postgres-12.5-r0
- v3.11: postgres-12.5-r0
- v3.10: postgres-11.10-r0
References
Fixed in
- Postgres 13.2
- Postgres 12.6
- Postgres 11.11