Joe Conway

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 18.4 PostgreSQL versions prior to 17.10 PostgreSQL versions prior to 16.14 PostgreSQL versions prior to 15.18 PostgreSQL versions prior to 14.23 **Description** A covert timing channel exists during the comparison of MD5-hashed passwords in the authentication process. This allows an attacker to recover user credentials to gain authentication. This issue does not affect scram-sha-256 passwords, which are the default in all supported releases, but may impact databases with MD5-hashed passwords resulting from upgrades from version 13 or earlier. **Recommendations** Update to version 18.4 or later. Update to version 17.10 or later. Update to version 16.14 or later. Update to version 15.18 or later. Update to version 14.23 or later.