CVE-2021-3935

November 26, 2021

When PgBouncer is configured to use “cert” authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.

Summary:

When PgBouncer is configured to use “cert” authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1.

Reference Links(if available):

  • https://bugzilla.redhat.com/show_bug.cgi?id=2021251
  • http://www.pgbouncer.org/changelog.html#pgbouncer-116x

  • CVSS Score (if available)

    v2: / MEDIUM

    v3: /

    Links to Exploits(if available)

  • Tags: , , , ,

    You may have missed

    hkcert

    Cisco Products Multiple Vulnerabilities

    April 25, 2024
    HIBP Banner 1

    T2 – 94,584 breached accounts

    April 25, 2024
    CISA Logo

    CISA: CISA Releases Three Industrial Control Systems Advisories

    April 25, 2024
    CISA Logo

    CISA: CISA Releases Four Industrial Control Systems Advisories

    April 25, 2024
    CISA Logo

    CISA: Oracle Releases Critical Patch Update Advisory for April 2024

    April 25, 2024