Main Vulnerability Database Vulnerabilities #VU58114

#VU58114 Missing Encryption of Sensitive Data in PostgreSQL - CVE-2021-23222

Published: November 11, 2021

Vulnerability identifier: #VU58114

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2021-23222

CWE-ID: CWE-311

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
PostgreSQL

Software vendor:
PostgreSQL Global Development Group

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way the libpq process in PostgreSQL handles encrypted connections. A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. The attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session.

Remediation

Install updates from vendor's website.

External links

https://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/