CVE-2025-49146
published 2025-06-11CVE-2025-49146: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to…
PriorityP433medium5.9CVSS 3.1
AVNACHPRNUINSUCHINAN
EPSS
0.46%
36.6th percentile
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libpgjava | < libpgjava 42.7.7-1 (forky) | libpgjava 42.7.7-1 (forky) |
| pgjdbc | pgjdbc | — | — |
| postgresql | postgresql_jdbc_driver | >= 42.7.4 < 42.7.7 | 42.7.7 |
CVSS provenance
nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
osv5.9MEDIUM
vendor_debian8.2LOW
vendor_oracle8.2HIGH
vendor_redhat8.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
ghsa·2025-06-11
CVE-2025-49146 [HIGH] CWE-287 pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
### Impact
When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.
### Patches
TBD
### Workarounds
Configure `sslMode=verify-full` to prevent MITM attacks.
### References
* https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
* https://datatracker.ietf.org/doc/html/rfc7677
* https://data
OSV
CVE-2025-49146: pgjdbc is an open source postgresql JDBC Driver
osv·2025-06-11·CVSS 5.9
CVE-2025-49146 [MEDIUM] CVE-2025-49146: pgjdbc is an open source postgresql JDBC Driver
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
OSV
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
osv·2025-06-11
CVE-2025-49146 [HIGH] pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
### Impact
When the PostgreSQL JDBC driver is configured with channel binding set to `required` (default value is `prefer`), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.
### Patches
TBD
### Workarounds
Configure `sslMode=verify-full` to prevent MITM attacks.
### References
* https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
* https://datatracker.ietf.org/doc/html/rfc7677
* https://data
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Core (PostgreSQL JDBC Driver) — CVE-2025-49146
vendor_oracle·2025-07-15·CVSS 8.2
CVE-2025-49146 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Core (PostgreSQL JDBC Driver) — CVE-2025-49146
Oracle Oracle Fusion Middleware Risk Matrix: Core (PostgreSQL JDBC Driver) vulnerability
CVE: CVE-2025-49146
CVSS: 8.2
Protocol: Multiple
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2025 (JUL 2025)
Red Hat
pgjdbc: pgjdbc insecure authentication in channel binding
vendor_redhat·2025-06-11·CVSS 8.2
CVE-2025-49146 [HIGH] CWE-287 pgjdbc: pgjdbc insecure authentication in channel binding
pgjdbc: pgjdbc insecure authentication in channel binding
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel bi
Debian
CVE-2025-49146: libpgjava - pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, w...
vendor_debian·2025·CVSS 8.2
CVE-2025-49146 [HIGH] CVE-2025-49146: libpgjava - pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, w...
pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved (fixed in 42.7.7-1)
sid: resolved (fixed in 42.7.7-1)
trixie: resolved (fixed in 42.7.7-1)
No detection rules found.
No public exploits indexed.
2025-06-11
Published