CVE-2025-2291

Опубликовано: 16 апр. 2025

Источник: debian

EPSS Низкий

Описание

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
pgbouncer	fixed	1.24.1-1		package
pgbouncer	no-dsa		bookworm	package

Примечания

Fixed by: https://github.com/pgbouncer/pgbouncer/commit/9912ee7f1af2e1b81d4d624a0da1cb49075ee78a (pgbouncer_1_24_1)

EPSS

Процентиль: 6%

0.00027

Низкий

Связанные уязвимости

CVE-2025-2291

CVSS3: 8.1

ubuntu

4 месяца назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

CVE-2025-2291

CVSS3: 8.1

nvd

4 месяца назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

CVE-2025-2291

CVSS3: 8.1

msrc

4 месяца назад

Описание отсутствует

ROS-20250619-05

CVSS3: 8.1

redos

2 месяца назад

Уязвимость pgbouncer

GHSA-qj9w-64mv-p2fw

CVSS3: 8.1

github

4 месяца назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

EPSS

Процентиль: 6%

0.00027

Низкий