CVE-2021-23214
04.03.2022, 16:15
When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.
| Vendor | Product | Version |
|---|---|---|
| postgresql | postgresql | 𝑥 < 9.6.24 |
| postgresql | postgresql | 10.0 ≤ 𝑥 < 10.19 |
| postgresql | postgresql | 11.0 ≤ 𝑥 < 11.14 |
| postgresql | postgresql | 12.0 ≤ 𝑥 < 12.9 |
| postgresql | postgresql | 13.0 ≤ 𝑥 < 13.5 |
| postgresql | postgresql | 14.0 |
| redhat | software_collections | 1.0 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux_for_ibm_z_systems | 8.0 |
| redhat | enterprise_linux_for_power_little_endian | 8.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| postgresql-10 |
| ||||||||||||||||||||||
| postgresql-12 |
| ||||||||||||||||||||||
| postgresql-13 |
| ||||||||||||||||||||||
| postgresql-9.1 |
| ||||||||||||||||||||||
| postgresql-9.3 |
| ||||||||||||||||||||||
| postgresql-9.5 |
|
References