JLSEC-2026-36

See a problem?
Please try reporting it to the source first.

Source

https://github.com/JuliaLang/SecurityAdvisories.jl/blob/main/advisories/published/2026/JLSEC-2026-36.md

Import Source

https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-36.json

JSON Data

https://api.osv.dev/v1/vulns/JLSEC-2026-36

Upstream

CVE-2021-43767

Published

2026-04-03T13:27:15.647Z

Modified

2026-04-03T13:30:23.778387Z

Summary

[none]

Details

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

Database specific

{
    "license": "CC-BY-4.0",
    "sources": [
        {
            "html_url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767",
            "modified": "2024-11-21T06:29:45Z",
            "id": "CVE-2021-43767",
            "published": "2022-08-25T18:15:09.377Z",
            "imported": "2026-04-03T13:13:10.185Z",
            "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2021-43767"
        }
    ]
}

References

Affected packages

Julia / LibPQ_jll

Package

Name: LibPQ_jll
Purl: pkg:julia/LibPQ_jll?uuid=08be9ffa-1c94-5ee5-a977-46a84ec9b350

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

14.1.0+0

Database specific

source

"https://github.com/JuliaLang/SecurityAdvisories.jl/tree/generated/osv/2026/JLSEC-2026-36.json"