PT-2018-10194 · Postgresql+2 · Postgresql-Jdbc+2

Pedro Sampaio

Published

2018-08-30

Updated

2023-07-05

CVE-2018-10936

CVSS v3.1

8.1

High

Vector

AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions postgresql-jdbc versions prior to 42.2.5

Description A weakness was found that could allow a man-in-the-middle attacker to masquerade as a trusted server. This occurs when an SSL Factory is provided without a host name verifier, allowing an attacker to provide a certificate for the wrong host, as long as it is signed by a trusted CA.

Recommendations For versions prior to 42.2.5, update to version 42.2.5 or later to resolve the issue. As a temporary workaround, consider providing a host name verifier to the driver to ensure the host name is checked.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-297

Related Identifiers

ALT-PU-2023-8463

CVE-2018-10936

GHSA-568Q-9FW5-28WF

SUSE-SU-2020:3466-1

Affected Products

Alt Linux

Suse

Postgresql-Jdbc

PT-2018-10194 · Postgresql+2 · Postgresql-Jdbc+2

CVE-2018-10936

Weakness Enumeration

Related Identifiers

Affected Products

References · 40