Missing Encryption of Sensitive Data in PostgreSQL - CVE-2021-23222
Published: November 11, 2021
Vulnerability identifier: #VU58114
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2021-23222
CWE-ID: CWE-311
Exploitation vector: Adjecent network
Exploit availability:
No public exploit available
Vendor: PostgreSQL Global Development Group
Affected software:
PostgreSQL
PostgreSQL
Detailed vulnerability description
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.
How to mitigate CVE-2021-23222
Install updates from vendor's website.