Lucene search

GoogleOSV:BIT-POSTGRESQL-2021-23214

HistoryMar 06, 2024 - 11:05 a.m.

BIT-postgresql-2021-23214

2024-03-0611:05:31

Google

osv.dev

server configuration

trust authentication

client certificate

certificate authentication

ssl certificate

sql injection

encryption

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

7.4 High

AI Score

Confidence

Low

5.1 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:H/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

56.5%

JSON

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

CPENameOperatorVersion
postgresqllt11.14.0
postgresqlge13.0.0
postgresqlge11.0.0
postgresqlge12.0.0
postgresqllt13.5.0
postgresqlle14.0.0
postgresqllt10.19.0
postgresqlge10.0.0
postgresqlge14.0.0
postgresqllt12.9.0

Name	Operator	Version
postgresql	lt	11.14.0
postgresql	ge	13.0.0
postgresql	ge	11.0.0
postgresql	ge	12.0.0
postgresql	lt	13.5.0
postgresql	le	14.0.0
postgresql	lt	10.19.0
postgresql	ge	10.0.0
postgresql	ge	14.0.0
postgresql	lt	12.9.0