5.9
CVE-2021-23222
- EPSS 1.5%
- Veröffentlicht 02.03.2022 23:15:08
- Zuletzt bearbeitet 21.11.2024 05:51:23
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Postgresql ≫ Postgresql Version >= 9.6 < 9.6.24
Postgresql ≫ Postgresql Version >= 10.0 < 10.19
Postgresql ≫ Postgresql Version >= 11.0 < 11.14
Postgresql ≫ Postgresql Version >= 12.0 < 12.9
Postgresql ≫ Postgresql Version >= 13.0 < 13.5
Postgresql ≫ Postgresql Version14.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.5% | 0.709 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 5.9 | 2.2 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:P/I:N/A:N
|
CWE-522 Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.
https://security.gentoo.org/glsa/202211-04
https://bugzilla.redhat.com/show_bug.cgi?id=2022675
https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228
https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45
https://www.postgresql.org/support/security/CVE-2021-23222/