Arch Linux update for postgresql



Published: 2022-04-05
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-23214
CWE-ID CWE-311
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Subscribe
Arch Linux
Operating systems & Components / Operating system

Vendor Arch Linux

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58113

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23214

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

Mitigation

Update the affected package postgresql to version 13.5-1.

Vulnerable software versions

Arch Linux: All versions


CPE2.3 External links

http://security.archlinux.org/advisory/ASA-202204-1

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###