CVE-2020-25694

Name of the Vulnerable Software and Affected Versions: PostgreSQL versions prior to 13.1 PostgreSQL versions prior to 12.5 PostgreSQL versions prior to 11.10 PostgreSQL versions prior to 10.15 PostgreSQL versions prior to 9.6.20 PostgreSQL versions prior to 9.5.24

Description: A flaw was found in the client component of the PostgreSQL database management system. The issue is related to the reuse of basic connection parameters while dropping security-relevant parameters by client applications that create additional database connections. This could lead to a man-in-the-middle attack or allow an attacker to observe clear-text transmissions. The highest threat from this issue is to data confidentiality and integrity as well as system availability.

Recommendations: For PostgreSQL versions prior to 13.1, update to version 13.1 or later to resolve the issue. For PostgreSQL versions prior to 12.5, update to version 12.5 or later to resolve the issue. For PostgreSQL versions prior to 11.10, update to version 11.10 or later to resolve the issue. For PostgreSQL versions prior to 10.15, update to version 10.15 or later to resolve the issue. For PostgreSQL versions prior to 9.6.20, update to version 9.6.20 or later to resolve the issue. For PostgreSQL versions prior to 9.5.24, update to version 9.5.24 or later to resolve the issue. As a temporary workaround, consider restricting the reuse of basic connection parameters to minimize the risk of exploitation.