CVE-2021-23214
Published: August 31, 2023Last modified: August 31, 2023
Description
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.1 |
Attack Vector | NETWORK |
Attack complexity | HIGH |
Privileges required | NONE |
User interaction | NONE |
Scope | UNCHANGED |
Confidentiality | HIGH |
Integrity impact | HIGH |
Availability impact | HIGH |
Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Status
Product | Release | Package | Status |
---|---|---|---|
Alpaquita Linux | 23 LTS | postgresql15 | Not affected (15.4-r0) |
Stream | postgresql15 | Not affected (15.4-r0) |
References
- https://bugzilla.redhat.com/show_bug.cgi?id=2022666
- https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=28e24125541545483093819efae9bca603441951
- https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951
- https://security.gentoo.org/glsa/202211-04
- https://www.postgresql.org/support/security/CVE-2021-23214/