CVE-2021-23214
Severity
8.1HIGH
EPSS
0.2%
top 54.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 4
Latest updateSep 28
Description
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 2.2 | Impact: 5.9
Affected Packages6 packages
Also affects: Fedora 34, 35, Enterprise Linux 8.0
Patches
🔴Vulnerability Details
4GHSA▶
GHSA-467w-rrqc-395f: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker ca↗2022-03-05
CVEList▶
CVE-2021-23214: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker ca↗2022-03-04
OSV▶
CVE-2021-23214: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker ca↗2022-03-04
📋Vendor Advisories
6Microsoft▶
Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication a man-in-the-middle attacker can inject arbitrary ↗2022-08-09
Microsoft▶
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is↗2022-03-08