PT-2018-10194 · Postgresql+2 · Postgresql-Jdbc+2

Pedro Sampaio

Publicado

2018-08-30

Atualizado

2023-07-05

CVE-2018-10936

CVSS v3.1

8.1

Alta

Vetor

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions postgresql-jdbc versions prior to 42.2.5

Description A weakness was found that could allow a man-in-the-middle attacker to masquerade as a trusted server. This occurs when an SSL Factory is provided without a host name verifier, allowing an attacker to provide a certificate for the wrong host, as long as it is signed by a trusted CA.

Recommendations For versions prior to 42.2.5, update to version 42.2.5 or later to resolve the issue. As a temporary workaround, consider providing a host name verifier to the driver to ensure the host name is checked.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-297

Identificadores relacionados

ALT-PU-2023-8463

CVE-2018-10936

GHSA-568Q-9FW5-28WF

SUSE-SU-2020:3466-1

Produtos afetados

Alt Linux

Suse

Postgresql-Jdbc

PT-2018-10194 · Postgresql+2 · Postgresql-Jdbc+2

CVE-2018-10936

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 40