Page 5 of 168 results (0.007 seconds)

CVSS: 9.8EPSS: 2%CPEs: 8EXPL: 2

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via `authenticationPluginClassName`, `sslhostnameverifier`, `socketFactory`, `sslfactory`, `sslpasswordcallback` connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. • https://github.com/ToontjeM/CVE-2022-21724 https://github.com/pgjdbc/pgjdbc/commit/f4d0ed69c0b3aae8531d83d6af4c57f22312c813 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-v7wg-cpwc-24m4 https://lists.debian.org/debian-lts-announce/2022/05/msg00027.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BVEO7BEFXPBVHSPYL3YKQWZI6DYXQLFS https://security.netapp.com/advisory/ntap-20220311-0005 https://www.debian.org/security/2022/dsa-5196 https://access.redhat.com&# • CWE-665: Improper Initialization •

CVSS: 5.9EPSS: 0%CPEs: 6EXPL: 0

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption. Un atacante de tipo man-in-the-middle puede inyectar respuestas falsas a las primeras consultas del cliente, a pesar de haber usado la verificación y el cifrado de certificados SSL • https://bugzilla.redhat.com/show_bug.cgi?id=2022675 https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=d83cdfdca9d918bbbd6bb209139b94c954da7228 https://github.com/postgres/postgres/commit/160c0258802d10b0600d7671b1bbea55d8e17d45 https://security.gentoo.org/glsa/202211-04 https://www.postgresql.org/support/security/CVE-2021-23222 https://access.redhat.com/security/cve/CVE-2021-23222 • CWE-522: Insufficiently Protected Credentials •

CVSS: 8.1EPSS: 0%CPEs: 12EXPL: 0

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. Cuando el servidor está configurado para usar la autenticación confiable con un requisito de clientcert o para usar la autenticación de cert, un atacante de tipo man-in-the-middle puede inyectar consultas SQL arbitrarias cuando es establecida una conexión por primera vez, a pesar del uso de la verificación y el cifrado del certificado SSL It was found that a PostgreSQL server could accept plain text data during the establishment of an SSL connection. When a user is requesting a certificate based authentication, an active Person in the Middle could use this flaw in order to inject arbitrary SQL commands. • https://bugzilla.redhat.com/show_bug.cgi?id=2022666 https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commit%3Bh=28e24125541545483093819efae9bca603441951 https://github.com/postgres/postgres/commit/28e24125541545483093819efae9bca603441951 https://security.gentoo.org/glsa/202211-04 https://www.postgresql.org/support/security/CVE-2021-23214 https://access.redhat.com/security/cve/CVE-2021-23214 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 6.5EPSS: 0%CPEs: 10EXPL: 0

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. • https://bugzilla.redhat.com/show_bug.cgi?id=2001857 https://security.gentoo.org/glsa/202211-04 https://security.netapp.com/advisory/ntap-20220407-0008 https://www.postgresql.org/support/security/CVE-2021-3677 https://access.redhat.com/security/cve/CVE-2021-3677 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •

CVSS: 6.5EPSS: 0%CPEs: 4EXPL: 0

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. Se ha encontrado un fallo en postgresql. usando un comando UPDATE ... • https://bugzilla.redhat.com/show_bug.cgi?id=1956883 https://security.netapp.com/advisory/ntap-20211112-0003 https://www.postgresql.org/support/security/CVE-2021-32029 https://access.redhat.com/security/cve/CVE-2021-32029 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •