SQL Injection Vulnerability in PostgreSQL with Trust Authentication
CVE-2021-23214

8.1HIGH

Key Information:

Vendor: Postgresql
Status: Postgresql
Vendor: CVE Published:; 4 March 2022

Summary

A vulnerability exists in the PostgreSQL database when configured with trust authentication alongside a client certificate requirement. This can allow a man-in-the-middle attacker to craft and inject arbitrary SQL queries during the initial connection setup. This occurs even with SSL certificate verification and encryption enabled, exposing users to significant risk if they do not secure their database instances properly.

Affected Version(s)

postgresql Affects v9.6 to v14

References

https://bugzilla.redhat.com/show_bug.cgi?id=2022666

https://www.postgresql.org/support/security/CVE-2021-23214/

https://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=c...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 4, 2022
Vulnerability Reserved
Nov 3, 2021