CVE-2021-20229

Single-column SELECT privilege enables reading all columns

A user having a SELECT privilege on an individual column can craft a special query that returns all columns of the table.

Additionally, a stored view that uses column-level privileges will have incomplete column-usage bitmaps. In installations that depend on column-level permissions for security, it is recommended to execute CREATE OR REPLACE on all user-defined views to force them to be re-parsed.

The PostgreSQL project thanks Sven Klemm for reporting this problem.

Version Information

Affected Version Fixed In Fix Published
13 13.2 Feb. 11, 2021

For more information about PostgreSQL versioning, please visit the versioning page.

CVSS 3.0

Overall Score 3.1
Component core server
Vector AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Reporting Security Vulnerabilities

If you wish to report a new security vulnerability in PostgreSQL, please send an email to [email protected].

For reporting non-security bugs, please see the Report a Bug page.