cbcvebase.
CVE-2018-10936
published 2018-08-30

CVE-2018-10936: A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier…

PriorityP341high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
EPSS
2.91%
85.2th percentile
A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlibpgjava< libpgjava 42.2.5-1 (bookworm)libpgjava 42.2.5-1 (bookworm)
postgresqlpostgresql_jdbc_driver< 42.2.542.2.5
redhatenterprise_linux
redhatenterprise_linux
sympasympa>= 0 < 6.1.17~dfsg-1ubuntu0.1~esm16.1.17~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.1.24~dfsg-1ubuntu0.1~esm16.1.24~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.2.24~dfsg-1ubuntu0.1~esm16.2.24~dfsg-1ubuntu0.1~esm1
sympasympa>= 0 < 6.2.40~dfsg-4ubuntu0.20.04.1~esm16.2.40~dfsg-4ubuntu0.20.04.1~esm1

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_debian8.1HIGH
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.