CVE-2021-32028: 
PostgreSQL vulnerability analysis and mitigation

CVE-2021-32028 is a security vulnerability discovered in PostgreSQL that was disclosed on May 13, 2021. The vulnerability affects PostgreSQL versions 9.6.0 through 9.6.22, 10.0 through 10.17, 11.0 through 11.12, 12.0 through 12.7, and 13.0 through 13.3. This flaw allows an authenticated database user to read arbitrary bytes of server memory using a specially crafted INSERT ... ON CONFLICT ... DO UPDATE command (PostgreSQL Security).

The vulnerability exists in PostgreSQL's handling of INSERT ... ON CONFLICT ... DO UPDATE commands. When executed on a purpose-crafted table, this command can be manipulated to read arbitrary bytes of server memory. The vulnerability has been assigned a CVSS v3.1 score of 6.5 (Medium), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, and high impact on confidentiality (NetApp Advisory).

The primary impact of this vulnerability is on data confidentiality. When successfully exploited, an attacker can read arbitrary bytes of server memory, potentially exposing sensitive information stored in the database server's memory. In the default configuration, any authenticated database user can create the prerequisite objects and execute this attack (PostgreSQL Security).

The vulnerability has been fixed in PostgreSQL versions 13.3, 12.7, 11.12, 10.17, and 9.6.22. Users are strongly advised to upgrade to these or later versions to protect against this vulnerability. The fix was released on May 13, 2021 (PostgreSQL Security).