Arch Linux update for postgresql

Published: 2022-04-05
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2021-23214
Exploitation vector Local network
Public exploit N/A
Vulnerable software
Arch Linux
Operating systems & Components / Operating system

Vendor Arch Linux

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Missing Encryption of Sensitive Data

EUVDB-ID: #VU58113

Risk: Medium


CVE-ID: CVE-2021-23214

CWE-ID: CWE-311 - Missing Encryption of Sensitive Data

Exploit availability: No


The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.


Update the affected package postgresql to version 13.5-1.

Vulnerable software versions

Arch Linux: All versions

CPE2.3 External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?