PT-2026-54841 · Pgjdbc · Pgjdbc
Keijot
·
Published
2026-07-02
·
Updated
2026-07-06
·
CVE-2026-54291
CVSS v4.0
8.2
High
| Vector | AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
pgjdbc versions 42.7.4 through 42.7.11
Description
Connections using
channelBinding=require can be silently downgraded from SCRAM-SHA-256-PLUS with channel binding to plain SCRAM-SHA-256. This results in the loss of man-in-the-middle protection. An attacker capable of intercepting the TLS connection can trigger this downgrade using a certificate with a signature algorithm that lacks a tls-server-end-point channel-binding hash. This occurs because the com.ongres.scram:scram-client returns an empty byte array instead of failing, and the ScramAuthenticator() function only verifies that the server advertised a PLUS mechanism without rejecting the empty binding or ensuring the negotiated mechanism utilizes channel binding.Recommendations
Update pgjdbc to version 42.7.12.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pgjdbc