FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

PostgreSQL -- Possible man-in-the-middle attacks

Affected packages
postgresql14-server < 14.1
postgresql13-server < 13.5
postgresql12-server < 12.9
postgresql11-server < 11.14
postgresql10-server < 10.19
postgresql96-server < 9.6.24

Details

VuXML ID 2ccd71bd-426b-11ec-87db-6cc21735f730
Discovery 2021-11-08
Entry 2021-11-10

The PostgreSQL Project reports:

CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)

CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.

References

CVE Name CVE-2021-23214
CVE Name CVE-2021-23222