BIT-postgresql-jdbc-driver-2026-54291

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/postgresql-jdbc-driver/BIT-postgresql-jdbc-driver-2026-54291.json
JSON Data
https://api.osv.dev/v1/vulns/BIT-postgresql-jdbc-driver-2026-54291
Aliases
Published
2026-07-12T23:50:28.176Z
Modified
2026-07-13T06:26:31.622106778Z
Summary
Silent channel-binding authentication downgrade via unsupported certificate algorithms
Details

pgjdbc is an open source postgresql JDBC Driver. In releases 42.7.4 through 42.7.11, channelBinding=require connections can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256 without it, losing the man-in-the-middle protection the setting is meant to guarantee. An attacker who can intercept the TLS connection can trigger the downgrade with a certificate whose signature algorithm has no tls-server-end-point channel-binding hash, because the bundled com.ongres.scram:scram-client returns an empty byte array instead of failing and pgJDBC ScramAuthenticator checks only that the server advertised a PLUS mechanism, without rejecting the empty binding or checking that the negotiated mechanism uses channel binding. This issue is fixed in version 42.7.12.

Database specific
{
    "severity": "High",
    "cpes": [
        "cpe:2.3:a:postgresql:postgresql_jdbc_driver:*:*:*:*:*:*:*:*"
    ]
}
References

Affected packages

Bitnami / postgresql-jdbc-driver

Package

Name
postgresql-jdbc-driver
Purl
pkg:bitnami/postgresql-jdbc-driver

Severity

  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
42.7.4
Fixed
42.7.12

Database specific

source
"https://github.com/bitnami/vulndb/tree/main/data/postgresql-jdbc-driver/BIT-postgresql-jdbc-driver-2026-54291.json"