CVE-2025-49146

High CVSS: 8.2

pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements. This vulnerability is fixed in 42.7.7.

Vendor

Postgresql

Product

Postgresql Jdbc Driver

CWE

CWE-287

Yayın Tarihi

2025-06-11 15:15:42

Güncelleme

2025-10-06 19:29:58

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-287 Postgresql Jdbc Driver HIGH Postgresql 2025

Referanslar

https://github.com/pgjdbc/pgjdbc/commit/9217ed16cb2918ab1b6b9258ae97e6ede244d8a0 https://github.com/pgjdbc/pgjdbc/security/advisories/GHSA-hq9p-pm7w-8p54

Benzer Kayıtlar

Medium

CVE-2026-2003

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory.…

High

CVE-2026-2004

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object cre…

High

CVE-2026-2005

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating syst…

High

CVE-2026-2006

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted…

High

CVE-2026-2007

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string.…