CVE-2021-3677: 
PostgreSQL vulnerability analysis and mitigation

CVE-2021-3677 is a vulnerability in PostgreSQL that allows memory disclosure through purpose-crafted queries. The vulnerability affects PostgreSQL versions 11.0 prior to 11.13, 12.0 prior to 12.8, and 13.0 prior to 13.4. This security flaw was disclosed on August 12, 2021, and affects the core server component of PostgreSQL (PostgreSQL Security).

The vulnerability allows a purpose-crafted query to read arbitrary bytes of server memory. The attack can be executed by any authenticated database user in the default configuration and does not require the ability to create objects. The vulnerability has a CVSS 3.0 base score of 6.5 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. If server settings include maxworkerprocesses=0, the known versions of this attack are infeasible, though undiscovered variants may not be affected by this setting (PostgreSQL Security).

Successful exploitation of this vulnerability could lead to the disclosure of sensitive information from server memory. Any authenticated database user can potentially execute this attack in default configurations, making it a significant security concern for PostgreSQL deployments (NetApp Security).

The vulnerability has been fixed in PostgreSQL versions 13.4, 12.8, and 11.13. Users should upgrade to these or later versions to address the security issue. While setting maxworkerprocesses=0 may prevent known versions of this attack, it is not recommended as a permanent solution since undiscovered variants may not be affected by this setting (PostgreSQL Security, Red Hat Security).