5.9

CVE-2021-23222

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
PostgresqlPostgresql Version >= 9.6 < 9.6.24
PostgresqlPostgresql Version >= 10.0 < 10.19
PostgresqlPostgresql Version >= 11.0 < 11.14
PostgresqlPostgresql Version >= 12.0 < 12.9
PostgresqlPostgresql Version >= 13.0 < 13.5
PostgresqlPostgresql Version14.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.5% 0.709
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.9 2.2 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
CWE-522 Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

https://security.gentoo.org/glsa/202211-04
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2022675
Third Party Advisory
Issue Tracking
https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
Patch
Third Party Advisory
https://www.postgresql.org/support/security/CVE-2021-23222/
Vendor Advisory
Release Notes