{"api_version":"1","generated_at":"2026-04-23T03:05:59+00:00","cve":"CVE-2021-32028","urls":{"html":"https://cve.report/CVE-2021-32028","api":"https://cve.report/api/cve/CVE-2021-32028.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-32028","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-32028"},"summary":{"title":"CVE-2021-32028","description":"A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2021-10-11 17:15:00","updated_at":"2023-01-31 17:29:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956877","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1956877","refsource":"MISC","tags":[],"title":"1956877 – (CVE-2021-32028) CVE-2021-32028 postgresql: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://security.gentoo.org/glsa/202211-04","name":"GLSA-202211-04","refsource":"GENTOO","tags":[],"title":"PostgreSQL: Multiple Vulnerabilities (GLSA 202211-04) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.postgresql.org/support/security/CVE-2021-32028","name":"https://www.postgresql.org/support/security/CVE-2021-32028","refsource":"MISC","tags":[],"title":"PostgreSQL: CVE-2021-32028: Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.netapp.com/advisory/ntap-20211112-0003/","name":"https://security.netapp.com/advisory/ntap-20211112-0003/","refsource":"CONFIRM","tags":[],"title":"October 2021 PostgreSQL Vulnerabilities in NetApp Products | NetApp Product Security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-32028","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-32028","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"32028","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-32028","qid":"159265","title":"Oracle Enterprise Linux Security Update for postgresql:9.6 (ELSA-2021-2360)"},{"cve":"CVE-2021-32028","qid":"159266","title":"Oracle Enterprise Linux Security Update for postgresql:10 (ELSA-2021-2361)"},{"cve":"CVE-2021-32028","qid":"159268","title":"Oracle Enterprise Linux Security Update for postgresql:12 (ELSA-2021-2372)"},{"cve":"CVE-2021-32028","qid":"159269","title":"Oracle Enterprise Linux Security Update for postgresql:13 (ELSA-2021-2375)"},{"cve":"CVE-2021-32028","qid":"159369","title":"Oracle Enterprise Linux Security Update for rh-postgresql10-postgresql (ELSA-2021-9428)"},{"cve":"CVE-2021-32028","qid":"178598","title":"Debian Security Update for postgresql-9.6 (DLA 2662-1)"},{"cve":"CVE-2021-32028","qid":"178617","title":"Debian Security Update for postgresql-11 (DSA 4915-1)"},{"cve":"CVE-2021-32028","qid":"180141","title":"Debian Security Update for postgresql-13 (CVE-2021-32028)"},{"cve":"CVE-2021-32028","qid":"198391","title":"Ubuntu Security Notification for PostgreSQL vulnerabilities (USN-4972-1)"},{"cve":"CVE-2021-32028","qid":"239382","title":"Red Hat Update for postgresql:13 (RHSA-2021:2375)"},{"cve":"CVE-2021-32028","qid":"239383","title":"Red Hat Update for postgresql:12 (RHSA-2021:2372)"},{"cve":"CVE-2021-32028","qid":"239389","title":"Red Hat Update for postgresql:10 (RHSA-2021:2361)"},{"cve":"CVE-2021-32028","qid":"239390","title":"Red Hat Update for postgresql:9.6 (RHSA-2021:2360)"},{"cve":"CVE-2021-32028","qid":"239435","title":"Red Hat Update for rh-postgresql13-postgresql (RHSA-2021:2396)"},{"cve":"CVE-2021-32028","qid":"239436","title":"Red Hat Update for rh-postgresql10-postgresql (RHSA-2021:2395)"},{"cve":"CVE-2021-32028","qid":"239437","title":"Red Hat Update for rh-postgresql12-postgresql (RHSA-2021:2394)"},{"cve":"CVE-2021-32028","qid":"239438","title":"Red Hat Update for postgresql:9.6 (RHSA-2021:2393)"},{"cve":"CVE-2021-32028","qid":"239439","title":"Red Hat Update for postgresql:10 (RHSA-2021:2392)"},{"cve":"CVE-2021-32028","qid":"239440","title":"Red Hat Update for postgresql:9.6 (RHSA-2021:2391)"},{"cve":"CVE-2021-32028","qid":"239441","title":"Red Hat Update for postgresql:10 (RHSA-2021:2390)"},{"cve":"CVE-2021-32028","qid":"239442","title":"Red Hat Update for postgresql:12 (RHSA-2021:2389)"},{"cve":"CVE-2021-32028","qid":"356175","title":"Amazon Linux Security Advisory for postgresql : ALASPOSTGRESQL12-2023-004"},{"cve":"CVE-2021-32028","qid":"356201","title":"Amazon Linux Security Advisory for postgresql : ALASPOSTGRESQL11-2023-003"},{"cve":"CVE-2021-32028","qid":"356295","title":"Amazon Linux Security Advisory for postgresql : ALASPOSTGRESQL13-2023-003"},{"cve":"CVE-2021-32028","qid":"377098","title":"Alibaba Cloud Linux Security Update for postgresql:13 (ALINUX3-SA-2021:0043)"},{"cve":"CVE-2021-32028","qid":"500542","title":"Alpine Linux Security Update for postgresql"},{"cve":"CVE-2021-32028","qid":"501470","title":"Alpine Linux Security Update for postgresql"},{"cve":"CVE-2021-32028","qid":"501993","title":"Alpine Linux Security Update for postgresql13"},{"cve":"CVE-2021-32028","qid":"502010","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2021-32028","qid":"502776","title":"Alpine Linux Security Update for postgresql15"},{"cve":"CVE-2021-32028","qid":"504309","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2021-32028","qid":"505668","title":"Alpine Linux Security Update for postgresql15"},{"cve":"CVE-2021-32028","qid":"671156","title":"EulerOS Security Update for postgresql (EulerOS-SA-2021-2811)"},{"cve":"CVE-2021-32028","qid":"690135","title":"Free Berkeley Software Distribution (FreeBSD) Security Update for postgresql server (62da9702-b4cc-11eb-b9c9-6cc21735f730)"},{"cve":"CVE-2021-32028","qid":"710683","title":"Gentoo Linux PostgreSQL Multiple Vulnerabilities (GLSA 202211-04)"},{"cve":"CVE-2021-32028","qid":"750047","title":"SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2021:1782-1)"},{"cve":"CVE-2021-32028","qid":"750050","title":"SUSE Enterprise Linux Security Update for postgresql13 (SUSE-SU-2021:1784-1)"},{"cve":"CVE-2021-32028","qid":"750052","title":"SUSE Enterprise Linux Security Update for postgresql13 (SUSE-SU-2021:1785-1)"},{"cve":"CVE-2021-32028","qid":"750053","title":"SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2021:1783-1)"},{"cve":"CVE-2021-32028","qid":"750068","title":"SUSE Enterprise Linux Security Update for postgresql13 (SUSE-SU-2021:1785-1)"},{"cve":"CVE-2021-32028","qid":"750162","title":"SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2021:1970-1)"},{"cve":"CVE-2021-32028","qid":"750638","title":"OpenSUSE Security Update for postgresql10 (openSUSE-SU-2021:0894-1)"},{"cve":"CVE-2021-32028","qid":"750657","title":"SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2021:1994-1)"},{"cve":"CVE-2021-32028","qid":"750776","title":"OpenSUSE Security Update for postgresql13 (openSUSE-SU-2021:1785-1)"},{"cve":"CVE-2021-32028","qid":"750808","title":"OpenSUSE Security Update for postgresql10 (openSUSE-SU-2021:1970-1)"},{"cve":"CVE-2021-32028","qid":"750816","title":"OpenSUSE Security Update for postgresql12 (openSUSE-SU-2021:1994-1)"},{"cve":"CVE-2021-32028","qid":"750982","title":"SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2021:2777-1)"},{"cve":"CVE-2021-32028","qid":"751264","title":"SUSE Enterprise Linux Security Update for postgresql10 (SUSE-SU-2021:3481-1)"},{"cve":"CVE-2021-32028","qid":"752529","title":"SUSE Enterprise Linux Security Update for postgresql12 (SUSE-SU-2022:2958-1)"},{"cve":"CVE-2021-32028","qid":"940196","title":"AlmaLinux Security Update for postgresql:9.6 (ALSA-2021:2360)"},{"cve":"CVE-2021-32028","qid":"940218","title":"AlmaLinux Security Update for postgresql:13 (ALSA-2021:2375)"},{"cve":"CVE-2021-32028","qid":"940343","title":"AlmaLinux Security Update for postgresql:10 (ALSA-2021:2361)"},{"cve":"CVE-2021-32028","qid":"940413","title":"AlmaLinux Security Update for postgresql:12 (ALSA-2021:2372)"},{"cve":"CVE-2021-32028","qid":"960053","title":"Rocky Linux Security Update for postgresql:9.6 (RLSA-2021:2360)"},{"cve":"CVE-2021-32028","qid":"960091","title":"Rocky Linux Security Update for postgresql:13 (RLSA-2021:2375)"},{"cve":"CVE-2021-32028","qid":"960093","title":"Rocky Linux Security Update for postgresql:12 (RLSA-2021:2372)"},{"cve":"CVE-2021-32028","qid":"960101","title":"Rocky Linux Security Update for postgresql:10 (RLSA-2021:2361)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2021-32028","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"n/a","product":{"product_data":[{"product_name":"postgresql","version":{"version_data":[{"version_value":"postgresql 13.3, postgresql 12.7, postgresql 11.12, postgresql 10.17, postgresql 9.6.22"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://bugzilla.redhat.com/show_bug.cgi?id=1956877","url":"https://bugzilla.redhat.com/show_bug.cgi?id=1956877"},{"refsource":"MISC","name":"https://www.postgresql.org/support/security/CVE-2021-32028","url":"https://www.postgresql.org/support/security/CVE-2021-32028"},{"refsource":"CONFIRM","name":"https://security.netapp.com/advisory/ntap-20211112-0003/","url":"https://security.netapp.com/advisory/ntap-20211112-0003/"},{"refsource":"GENTOO","name":"GLSA-202211-04","url":"https://security.gentoo.org/glsa/202211-04"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality."}]}},"nvd":{"publishedDate":"2021-10-11 17:15:00","lastModifiedDate":"2023-01-31 17:29:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":6.5,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:N/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"NONE","availabilityImpact":"NONE","baseScore":4},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"13.0","versionEndExcluding":"13.3","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"12.0","versionEndExcluding":"12.7","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0","versionEndExcluding":"10.17","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0","versionEndExcluding":"11.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"9.6.0","versionEndExcluding":"9.6.22","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"32028","Ordinal":"207357","Title":"CVE-2021-32028","CVE":"CVE-2021-32028","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"32028","Ordinal":"1","NoteData":"A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"32028","Ordinal":"2","NoteData":"2021-10-11","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"32028","Ordinal":"3","NoteData":"2021-11-12","Type":"Other","Title":"Modified"}]}}}