CVE-2021-3935

Sažetak

When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.

Reference

https://bugzilla.redhat.com/show_bug.cgi?id=2021251
http://www.pgbouncer.org/changelog.html#pgbouncer-116x
https://lists.debian.org/debian-lts-announce/2022/02/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TNPCV3KRDI5PLLLKADFVIOHACQJLZMLI/

CVSS

Base:	5.1
Impact:	6.4
Exploitability:	4.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	HIGH	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:H/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

07-11-2023 - 03:38

Objavljeno

22-11-2021 - 16:15