CVE-2021-3935

Name of the Vulnerable Software and Affected Versions PgBouncer versions prior to 1.16.1

Description The issue is related to the handling of initial message request data in PgBouncer, which can be exploited by a remote attacker to access confidential data, compromise data integrity, and cause a denial of service. Specifically, when PgBouncer is configured to use "cert" authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of TLS certificate verification and encryption.

Recommendations For versions prior to 1.16.1, update to version 1.16.1 or later to resolve the issue. As a temporary workaround, consider disabling the use of "cert" authentication in PgBouncer until a patch is available. Restrict access to the PgBouncer connection to minimize the risk of exploitation by a man-in-the-middle attacker.