CVE-2025-49146

EPSS 0.02%
Veröffentlicht 11.06.2025 14:32:39
Zuletzt bearbeitet 06.10.2025 19:29:58
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Postgresql ≫ Postgresql Jdbc Driver Version >= 42.7.4 < 42.7.7

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.044

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	5.9	2.2	3.6	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54

Vendor Advisory

https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-49146

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-49146

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-49146

EUVD