CVE-2018-10936Improper Validation of Certificate with Host Mismatch in Postgresql Jdbc Driver

CWE-297Improper Validation of Certificate with Host Mismatch11 documents7 sources
Severity
8.1HIGHNVD
OSV9.8
EPSS
0.8%
top 25.14%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Postgresql Jdbc DriverSympaRedhat Enterprise Linux
Timeline
PublishedAug 30
Latest updateMar 15

Description

A weakness was found in postgresql-jdbc before version 42.2.5. It was possible to provide an SSL Factory and not check the host name if a host name verifier was not provided to the driver. This could lead to a condition where a man-in-the-middle attacker could masquerade as a trusted server by providing a certificate for the wrong host, as long as it was signed by a trusted CA.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9

Affected Packages2 packages

Ubuntusympa/sympa< 6.1.17~dfsg-1ubuntu0.1~esm1+3

Also affects: Enterprise Linux 6.0, 7.0

🔴Vulnerability Details

6
OSV
sympa vulnerabilities2021-03-15
OSV
sympa vulnerabilities2020-07-28
GHSA
Moderate severity vulnerability that affects org.postgresql:pgjdbc-aggregate2018-10-19
OSV
Moderate severity vulnerability that affects org.postgresql:pgjdbc-aggregate2018-10-19
CVEList
CVE-2018-10936: A weakness was found in postgresql-jdbc before version 422018-08-30

📋Vendor Advisories

2
Red Hat
PostgreSQL: Postgres JDBC driver does not perform host name validation by default2018-08-27
Debian
CVE-2018-10936: libpgjava - A weakness was found in postgresql-jdbc before version 42.2.5. It was possible t...2018

💬Community

2
Bugzilla
CVE-2018-10936 postgresql-jdbc: PostgreSQL: Postgres JDBC driver does not perform host name validation by default [fedora-all]2019-01-08
Bugzilla
CVE-2018-10936 PostgreSQL: Postgres JDBC driver does not perform host name validation by default2018-08-24
CVE-2018-10936 — Postgresql Jdbc Driver vulnerability | cvebase