Описание
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| postgresql-14 | fixed | 14.1-1 | package | |
| postgresql-13 | unfixed | package | ||
| postgresql-11 | removed | package | ||
| postgresql-9.6 | removed | package |
Примечания
https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/
https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=046c2c846b741a12e7fd61d8d86bf324a20e3dfc (REL9_6_24)
EPSS
Связанные уязвимости
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
EPSS