CVE-2021-23214: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject…

CVE-2021-23214 [HIGH] PostgreSQL vulnerabilities Title: PostgreSQL vulnerabilities Summary: Several security issues were fixed in PostgreSQL. Jacob Champion discovered that PostgreSQL incorrectly handled SSL certificate verification and encryption. A remote attacker could possibly use this issue to inject arbitrary SQL queries when a connection is first established. (CVE-2021-23214) Tom Lane discovered that PostgreSQL incorrect handled certain array subscripting calculations. An authenticated attacker could possibly use this issue to overwrite server memory and escalate privileges. (CVE-2021-32027) Instructions: In general, a standard system update will make all the necessary changes.

CVE-2021-43766 [HIGH] CWE-295 Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication a man-in-the-middle attacker can inject arbitrary Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work wh

CVE-2021-23214 [HIGH] CWE-89 When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established despite the use of SSL certificate verification and encryption. FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability? One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for mo

CVE-2021-23222 PostgreSQL vulnerabilities Title: PostgreSQL vulnerabilities Summary: PostgreSQL could allow unintended access to network services. Jacob Champion discovered that PostgreSQL incorrectly handled SSL certificate verification and encryption. A remote attacker could possibly use this issue to inject arbitrary SQL queries when a connection is first established. Instructions: This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart PostgreSQL to make all the necessary changes.

CVE-2021-23214 [HIGH] CWE-89 postgresql: server processes unencrypted bytes from man-in-the-middle postgresql: server processes unencrypted bytes from man-in-the-middle When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. It was found that a PostgreSQL server could accept plain text data during the establishment of an SSL connection. When a user is requesting a certificate based authentication, an active Person in the Middle could use this flaw in order to inject arbitrary SQL commands. Statement: In Red Hat Virtualization the manager appliance uses a vulnerable version of postgresql. Once a fix has been shipped for RHEL 8 the appliance can consume the fix

CVE-2021-23214 [HIGH] CVE-2021-23214: postgresql-13 - When the server is configured to use trust authentication with a clientcert requ... When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. Scope: local bullseye: resolved (fixed in 13.5-0+deb11u1)

CVE-2023-31136 [HIGH] CWE-522 PostgresNIO processes unencrypted bytes from man-in-the-middle PostgresNIO processes unencrypted bytes from man-in-the-middle ### Impact Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. _The remaining text in this section is quoted verbatim from [PostgreSQL's CVE-2021-23222 advisory](https://www.postgresql.org/support/security/CVE-2021-23222/):_ > If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property i

CVE-2023-31136 [HIGH] PostgresNIO processes unencrypted bytes from man-in-the-middle PostgresNIO processes unencrypted bytes from man-in-the-middle ### Impact Any user of PostgresNIO connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client's first few queries, despite the use of TLS certificate verification and encryption. _The remaining text in this section is quoted verbatim from [PostgreSQL's CVE-2021-23222 advisory](https://www.postgresql.org/support/security/CVE-2021-23222/):_ > If more preconditions hold, the attacker can exfiltrate the client's password or other confidential data that might be transmitted early in a session. The attacker must have a way to trick the client's intended server into making the confidential data accessible to the attacker. A known implementation having that property i

CVE-2021-23214 [HIGH] postgresql-9.5 vulnerabilities postgresql-9.5 vulnerabilities Jacob Champion discovered that PostgreSQL incorrectly handled SSL certificate verification and encryption. A remote attacker could possibly use this issue to inject arbitrary SQL queries when a connection is first established. (CVE-2021-23214) Tom Lane discovered that PostgreSQL incorrect handled certain array subscripting calculations. An authenticated attacker could possibly use this issue to overwrite server memory and escalate privileges. (CVE-2021-32027)

CVE-2021-43766 [HIGH] CWE-295 GHSA-946v-j885-6j5f: Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, Odyssey passes to server unencrypted bytes from man-in-the-middle When Odyssey is configured to use certificate Common Name for client authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption. This is similar to CVE-2021-23214 for PostgreSQL.

CVE-2021-23214 [HIGH] CWE-89 GHSA-467w-rrqc-395f: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker ca When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

CVE-2021-23214 [HIGH] CVE-2021-23214: When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker ca When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.