Unrated severityNVD Advisory· Published Mar 2, 2022· Updated Aug 3, 2024

CVE-2021-3677

Description

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

Affected products

postgresql/postgresqldescription
osv-coords43 versions
pkg:bitnami/postgresql pkg:rpm/almalinux/pgaudit pkg:rpm/almalinux/pg_repack pkg:rpm/almalinux/postgres-decoderbufs pkg:rpm/almalinux/postgresql pkg:rpm/almalinux/postgresql-contrib pkg:rpm/almalinux/postgresql-docs pkg:rpm/almalinux/postgresql-plperl pkg:rpm/almalinux/postgresql-plpython3 pkg:rpm/almalinux/postgresql-pltcl pkg:rpm/almalinux/postgresql-server pkg:rpm/almalinux/postgresql-server-devel pkg:rpm/almalinux/postgresql-static pkg:rpm/almalinux/postgresql-test pkg:rpm/almalinux/postgresql-test-rpm-macros pkg:rpm/almalinux/postgresql-upgrade pkg:rpm/almalinux/postgresql-upgrade-devel pkg:rpm/opensuse/postgresql11&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/postgresql12&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/postgresql12&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/postgresql13&distro=openSUSE%20Leap%2015.3 pkg:rpm/opensuse/postgresql13&distro=openSUSE%20Tumbleweed pkg:rpm/suse/postgresql12&distro=SUSE%20Enterprise%20Storage%206 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-ESPOS pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Legacy%2015%20SP3 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-BCL pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/postgresql12&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP2 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP2 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP3 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP3 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5 pkg:rpm/suse/postgresql13&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5
>= 11.0.0, < 11.13.0+ 42 more
- (no CPE)range: >= 11.0.0, < 11.13.0
- (no CPE)range: < 1.4.0-5.module_el8.6.0+2758+4f4474df
- (no CPE)range: < 1.4.6-3.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 0.10.0-2.module_el8.6.0+2760+1746ec94
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 12.9-1.module_el8.5.0+2606+4554acc4
- (no CPE)range: < 11.13-1.3
- (no CPE)range: < 12.8-8.23.2
- (no CPE)range: < 12.8-1.3
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-1.3
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.8-8.23.2
- (no CPE)range: < 12.8-8.23.2
- (no CPE)range: < 12.8-8.23.2
- (no CPE)range: < 12.8-3.18.2
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.8-3.18.2
- (no CPE)range: < 12.12-150100.3.33.1
- (no CPE)range: < 12.8-3.18.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-5.16.2
- (no CPE)range: < 13.4-3.12.2
- (no CPE)range: < 13.4-3.12.2
- (no CPE)range: < 13.4-3.12.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

security.gentoo.org/glsa/202211-04mitrevendor-advisory
bugzilla.redhat.com/show_bug.cgimitre
security.netapp.com/advisory/ntap-20220407-0008/mitre
www.postgresql.org/support/security/CVE-2021-3677/mitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000