GitHub_MCVELIST:CVE-2023-31136CVE-2023-31136 PostgresNIO processes unencrypted bytes from man-in-the-middle
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.6%
PostgresNIO is a Swift client for PostgreSQL. Any user of PostgresNIO prior to version 1.14.2 connecting to servers with TLS enabled is vulnerable to a man-in-the-middle attacker injecting false responses to the client’s first few queries, despite the use of TLS certificate verification and encryption. The vulnerability is addressed in PostgresNIO versions starting from 1.14.2. There are no known workarounds for unpatched users.
CNA Affected
[
{
"vendor": "vapor",
"product": "postgres-nio",
"versions": [
{
"version": "< 1.14.2",
"status": "affected"
}
]
}
]References
github.com/advisories/GHSA-467w-rrqc-395f
github.com/advisories/GHSA-735f-7qx4-jqq5
github.com/apple/swift-nio/pull/2419
github.com/vapor/postgres-nio/commit/2df54bc94607f44584ae6ffa74e3cd754fffafc7
github.com/vapor/postgres-nio/releases/tag/1.14.2
github.com/vapor/postgres-nio/security/advisories/GHSA-9cfh-vx93-84vv
www.postgresql.org/support/security/CVE-2021-23214/
www.postgresql.org/support/security/CVE-2021-23222/
Related
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
6.9 Medium
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
58.6%