CVE-2025-2291

Опубликовано: 16 апр. 2025

Источник: debian

EPSS Низкий

Описание

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

Пакеты

Пакет	Статус	Версия исправления	Релиз	Тип
pgbouncer	fixed	1.24.1-1		package
pgbouncer	fixed	1.18.0-1+deb12u1	bookworm	package

Примечания

Fixed by: https://github.com/pgbouncer/pgbouncer/commit/9912ee7f1af2e1b81d4d624a0da1cb49075ee78a (pgbouncer_1_24_1)

EPSS

Процентиль: 53%

0.00302

Низкий

Связанные уязвимости

CVE-2025-2291

CVSS3: 8.1

ubuntu

12 месяцев назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

CVE-2025-2291

CVSS3: 8.1

nvd

12 месяцев назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

CVE-2025-2291

CVSS3: 8.1

msrc

около 1 месяца назад

PgBouncer default auth_query does not take Postgres password expiry into account

GHSA-qj9w-64mv-p2fw

CVSS3: 8.1

github

12 месяцев назад

Password can be used past expiry in PgBouncer due to auth_query not taking into account Postgres its VALID UNTIL value, which allows an attacker to log in with an already expired password

BDU:2025-07307

CVSS3: 8.1

fstec

12 месяцев назад

Уязвимость программы для пула соединения в PostgreSQL PgBouncer, связанная с недостатками процедуры аутентификации, позволяющая нарушителю получить несанкционированный доступ к приложению

EPSS

Процентиль: 53%

0.00302

Низкий