CVE-2023-31136 – PostgresNIO processes unencrypted bytes from man-in-the-middle

https://notcve.org/view.php?id=CVE-2023-31136

PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users. • https://github.com/advisories/GHSA-467w-rrqc-395f https://github.com/advisories/GHSA-735f-7qx4-jqq5 https://github.com/apple/swift-nio/pull/2419 https://github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7 https://github.com/vapor/postgres-nio/releases/tag/1.14.2 https://github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv https://www.postgresql.org/support/security/CVE-2021-23214 https://www.postgresql.org/support/security/CVE-2021-23222 • CWE-522: Insufficiently Protected Credentials •