Man-in-the-Middle Injection Vulnerability in PgBouncer by PgBouncer Team
CVE-2021-3935

8.1HIGH

Key Information:

Vendor

Pgbouncer

Status
Pgbouncer
Vendor
CVE Published:
22 November 2021

What is CVE-2021-3935?

A configuration flaw in PgBouncer permits a man-in-the-middle attacker to inject arbitrary SQL queries during the establishment of a connection when 'cert' authentication is enabled. This occurs despite the implementation of TLS certificate verification and encryption, potentially leading to unauthorized access or manipulation of data. Affected versions include all prior to 1.16.1, highlighting the importance of updating to the latest release to mitigate this risk.

Affected Version(s)

pgbouncer PgBouncer 1.16.1

References

https://bugzilla.redhat.com/show_bug.cgi?id=2021251
x_refsource_MISC
http://www.pgbouncer.org/changelog.html#pgbouncer-116x
x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.