GHSA-hq9p-pm7w-8p54

Suggest an improvement
Source
https://github.com/advisories/GHSA-hq9p-pm7w-8p54
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/06/GHSA-hq9p-pm7w-8p54/GHSA-hq9p-pm7w-8p54.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hq9p-pm7w-8p54
Aliases
Related
Published
2025-06-11T14:44:04Z
Modified
2025-06-14T06:28:34.537675Z
Downstream
Severity
  • 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
Summary
pgjdbc Client Allows Fallback to Insecure Authentication Despite channelBinding=require Configuration
Details

Impact

When the PostgreSQL JDBC driver is configured with channel binding set to required (default value is prefer), the driver would incorrectly allow connections to proceed with authentication methods that do not support channel binding (such as password, MD5, GSS, or SSPI authentication). This could allow a man-in-the-middle attacker to intercept connections that users believed were protected by channel binding requirements.

Patches

TBD

Workarounds

Configure sslMode=verify-full to prevent MITM attacks.

References

  • https://www.postgresql.org/docs/current/sasl-authentication.html#SASL-SCRAM-SHA-256
  • https://datatracker.ietf.org/doc/html/rfc7677
  • https://datatracker.ietf.org/doc/html/rfc5802
Database specific 
{
    "nvd_published_at": "2025-06-11T15:15:42Z",
    "cwe_ids": [
        "CWE-287"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2025-06-11T14:44:04Z"
}
References

Affected packages

Maven / org.postgresql:postgresql

Package

Name
org.postgresql:postgresql
View open source insights on deps.dev
Purl
pkg:maven/org.postgresql/postgresql

Affected ranges

Type
ECOSYSTEM
Events
Introduced
42.7.4
Fixed
42.7.7

Affected versions

42.*

42.7.4
42.7.5
42.7.6