cbcvebase.
CVE-2025-49146
published 2025-06-11

CVE-2025-49146: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to…

PriorityP433medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.46%
36.6th percentile
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianlibpgjava< libpgjava 42.7.7-1 (forky)libpgjava 42.7.7-1 (forky)
pgjdbcpgjdbc
postgresqlpostgresql_jdbc_driver>= 42.7.4 < 42.7.742.7.7

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vendor_debian8.2LOW
vendor_oracle8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.