#VU112166 Improper Authentication in Postgresql JDBC Driver - CVE-2025-49146
Vulnerability identifier: #VU112166
Vulnerability risk: High
CVSSv4.0: 6.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-287
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Postgresql JDBC Driver
Universal components / Libraries /
Libraries used by multiple products
Vendor: PostgreSQL Global Development Group
Description
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). A remote attacker can intercept connections that users believed were protected by channel binding requirements.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Postgresql JDBC Driver: 42.7.4 - 42.7.6
External links
https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0
https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
