CVE-2021-43767
- Source
- https://cve.org/CVERecord?id=CVE-2021-43767
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-43767.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2021-43767
- Aliases
- Published
- 2022-08-25T18:15:09.377Z
- Modified
- 2026-02-13T08:46:50.333729Z
- Severity
-
- 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- [none]
- Details
-
Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.
- References
Affected packages
Git / github.com/postgres/postgres
Affected ranges
- Type
- GIT
- Repo
- https://github.com/postgres/postgres
- Events
-
IntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
Affected versions
Other
REL9_6_0
REL9_6_1
REL9_6_10
REL9_6_11
REL9_6_12
REL9_6_13
REL9_6_14
REL9_6_15
REL9_6_16
REL9_6_17
REL9_6_18
REL9_6_19
REL9_6_2
REL9_6_20
REL9_6_21
REL9_6_22
REL9_6_23
REL9_6_3
REL9_6_4
REL9_6_5
REL9_6_6
REL9_6_7
REL9_6_8
REL9_6_9
REL_10_0
REL_10_1
REL_10_10
REL_10_11
REL_10_12
REL_10_13
REL_10_14
REL_10_15
REL_10_16
REL_10_17
REL_10_18
REL_10_2
REL_10_3
REL_10_4
REL_10_5
REL_10_6
REL_10_7
REL_10_8
REL_10_9
REL_11_0
REL_11_1
REL_11_10
REL_11_11
REL_11_12
REL_11_13
REL_11_2
REL_11_3
REL_11_4
REL_11_5
REL_11_6
REL_11_7
REL_11_8
REL_11_9
REL_12_0
REL_12_1
REL_12_2
REL_12_3
REL_12_4
REL_12_5
REL_12_6
REL_12_7
REL_12_8
REL_13_0
REL_13_1
REL_13_2
REL_13_3
REL_13_4