CVE-2021-33204

NameCVE-2021-33204
DescriptionIn the pg_partman (aka PG Partition Manager) extension before 4.5.1 for PostgreSQL, arbitrary code execution can be achieved via SECURITY DEFINER functions because an explicit search_path is not set.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs988917

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
pg-partman (PTS)stretch2.6.3-1vulnerable
buster4.0.0-1vulnerable
bookworm, sid, bullseye4.5.1-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
pg-partmansource(unstable)4.5.1-1988917

Notes

[buster] - pg-partman <no-dsa> (Minor issue)
[stretch] - pg-partman <no-dsa> (Minor issue)
https://github.com/pgpartman/pg_partman/commit/0b6565ad378c358f8a6cd1d48ddc482eb7f854d3

Search for package or bug name: Reporting problems