CVE-2023-31136
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
61.7%
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client’s first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| vapor | postgresnio | * | cpe:2.3:a:vapor:postgresnio:*:*:*:*:*:postgresql:*:* |
References
github.com/advisories/GHSA-467w-rrqc-395f
github.com/advisories/GHSA-735f-7qx4-jqq5
github.com/apple/swift-nio/pull/2419
github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7
github.com/vapor/postgres-nio/releases/tag/1.14.2
github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv
www.postgresql.org/support/security/CVE-2021-23214/
www.postgresql.org/support/security/CVE-2021-23222/
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
61.7%