#VU58113 Missing Encryption of Sensitive Data


Published: 2021-11-11

Vulnerability identifier: #VU58113

Vulnerability risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-23214

CWE-ID: CWE-311

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to the way PostgreSQL handles encrypted connections. When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 14.0, 13.0 - 13.4, 12 - 12.8, 11.0 - 11.13, 10.1 - 10.18, 9.6.0 - 9.6.23


CPE

External links
http://www.postgresql.org/about/news/postgresql-141-135-129-1114-1019-and-9624-released-2349/


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability