CVE-2025-49146Improper Authentication in Postgresql Jdbc Driver

CWE-287Improper Authentication8 documents7 sources
Severity
5.9MEDIUMNVD
CNA8.2
EPSS
0.0%
top 88.05%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Postgresql Jdbc DriverPgjdbc
Timeline
PublishedJun 11
Latest updateJul 15

Description

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requiremen

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

NVDpostgresql/postgresql_jdbc_driver42.7.442.7.7
CVEListV5pgjdbc/pgjdbc>= 42.7.4, < 42.7.7

Patches

Patch: github.com

🔴Vulnerability Details

4
GHSA
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration2025-06-11
OSV
CVE-2025-49146: pgjdbc is an open source postgresql JDBC Driver2025-06-11
OSV
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration2025-06-11
CVEList
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration2025-06-11

📋Vendor Advisories

3
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Core (PostgreSQL JDBC Driver) — CVE-2025-491462025-07-15
Red Hat
pgjdbc: pgjdbc insecure authentication in channel binding2025-06-11
Debian
CVE-2025-49146: libpgjava - pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, w...2025
CVE-2025-49146 — Improper Authentication in Postgresql | cvebase