CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2021-3935
https://notcve.org/view.php?id=CVE-2021-3935
22 Nov 2021 — When PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption. This flaw affects PgBouncer versions prior to 1.16.1. Cuando PgBouncer está configurado para usar la autenticación "cert", un atacante de tipo "man-in-the-middle" puede inyectar consultas SQL arbitrarias cuando se establece una conexión por primera vez, a pesar del uso de la verificació... • http://www.pgbouncer.org/changelog.html#pgbouncer-116x • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-295: Improper Certificate Validation •
CVSS: 6.8EPSS: 0%CPEs: 35EXPL: 1CVE-2021-3672 – c-ares: Missing input validation of host names may lead to domain hijacking
https://notcve.org/view.php?id=CVE-2021-3672
10 Aug 2021 — A flaw was found in c-ares library, where a missing input validation check of host names returned by DNS (Domain Name Servers) can lead to output of wrong hostnames which might potentially lead to Domain Hijacking. The highest threat from this vulnerability is to confidentiality and integrity as well as system availability. Se ha encontrado un fallo en la biblioteca c-ares, en la que una falta de comprobación de la comprobación de entrada de los nombres de host devueltos por los DNS (Servidores de Nombres d... • https://bugzilla.redhat.com/show_bug.cgi?id=1988342 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 1%CPEs: 1EXPL: 0CVE-2015-6817 – Gentoo Linux Security Advisory 201701-24
https://notcve.org/view.php?id=CVE-2015-6817
11 Jan 2017 — PgBouncer 1.6.x before 1.6.1, when configured with auth_user, allows remote attackers to gain login access as auth_user via an unknown username. PgBouncer versiones 1.6.x anteriores a la 1.6.1, cuando está configurado con auth_user, permite a atacantes remotos obtener acceso como auth_user a través de un nombre de usuario desconocido. Multiple vulnerabilities have been found in PgBouncer, the worst of which may allow an attacker to bypass authentication. Versions less than 1.7.2 are affected. • http://comments.gmane.org/gmane.comp.db.postgresql.pgbouncer.general/1251 • CWE-287: Improper Authentication •
CVSS: 7.5EPSS: 3%CPEs: 1EXPL: 1CVE-2015-4054 – Gentoo Linux Security Advisory 201701-24
https://notcve.org/view.php?id=CVE-2015-4054
11 Jan 2017 — PgBouncer before 1.5.5 allows remote attackers to cause a denial of service (NULL pointer dereference and crash) by sending a password packet before a startup packet. PgBouncer versiones anteriores a la 1.5.5 permite a un atacante remoto causar un denegación de servicio (referencia a puntero nulo y caída de aplicación) enviando un paquete password antes de un paquete startup. Multiple vulnerabilities have been found in PgBouncer, the worst of which may allow an attacker to bypass authentication. Versions le... • http://www.openwall.com/lists/oss-security/2015/05/22/5 • CWE-476: NULL Pointer Dereference •
CVSS: 7.5EPSS: 1%CPEs: 2EXPL: 0CVE-2012-4575
https://notcve.org/view.php?id=CVE-2012-4575
18 Nov 2012 — The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request. La función add_database en objects.c en pgbouncer pooler v1.5.2 para PostgreSQL permite a atacantes remotos provocar una denegación de servicio (parada del demonio) a través de un nombre de base de datos demasiado largo en una solicitud. • http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=692103 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •