CVE-2021-23222 — Insufficiently Protected Credentials in Postgresql
Severity
5.9MEDIUMNVD
GHSA8.1OSV8.1
EPSS
0.3%
top 48.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedMar 2
Latest updateMay 10
Description
A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6
Affected Packages6 packages
Patches
🔴Vulnerability Details
5GHSA▶
GHSA-xmm7-85wh-j3jf: Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authen↗2022-08-26
GHSA▶
GHSA-735f-7qx4-jqq5: A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encrypt↗2022-03-04
OSV▶
CVE-2021-23222: A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encrypt↗2022-03-02
📋Vendor Advisories
6Microsoft▶
Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use↗2022-08-09
Microsoft▶
A man-in-the-middle attacker can inject false responses to the client's first few queries despite the use of SSL certificate verification and encryption.↗2022-03-08